Feature #5142
closed
ValidatorConfig: Accommodate certificate name in hierarchical checker
100%
Description
In ValidatorConfig, a hierarchical checker requires that the packet name must be under the namespace of the packet signer.
It has the form:
checker
{
type hierarchical
sig-type {SIG-TYPE}
}
It is currently defined to be equivalent to:
checker
{
type customized
sig-type {SIG-TYPE}
key-locator
{
type name
hyper-relation
{
k-regex ^(<>*)<KEY><>$
k-expand \\1
h-relation is-prefix-of
p-regex ^(<>*)$
p-expand \\1
}
}
}
In #5112, KeyLocator can contain a certificate name instead of a key name.
The hierarchical checker should be changed accordingly to maintain its intended semantics.
Updated by Junxiao Shi about 3 years ago
- Related to Feature #5112: Include certificate name in KeyLocator added
Updated by Junxiao Shi about 3 years ago
- Tags set to security
- Assignee set to Junxiao Shi
- Target version set to 0.8.0
20210212 NFD call approves this design.
Updated by Junxiao Shi about 3 years ago
- Status changed from New to In Progress
- Estimated time changed from 1.50 h to 3.00 h
Updated by Junxiao Shi about 3 years ago
- Status changed from In Progress to Code review
- % Done changed from 0 to 60
https://gerrit.named-data.net/c/ndn-cxx/+/6361 updates:
- hierarchical checker and its documentation
- name relation checker
Moreover, I've also deduplicated some code in the checker test suite with MPL.
I need a Cartesian product metafunction but it's only available in Boost.MP11 that is not in Ubuntu 18.
I decide to use three boost::mpl::push_backs instead of more fold magic, to improve readability at the cost of more templates.
I can confirm that this change does not lose test cases because build/unit-tests -t Security/ValidatorConfig/TestChecker indicates there are 39 test cases before and after the change.
Updated by Junxiao Shi about 3 years ago
- Status changed from Code review to Closed
- % Done changed from 60 to 100
Updated by Junxiao Shi about 3 years ago
- Tags changed from security to security, ValidatorConfig