Feature #5148
open
ValidatorConfig: multiple sig-type restrictions in a single checker
0%
Description
In ValidatorConfig, it's sometimes useful to specify a restriction on SignatureType.
For example, a checker could be specified as:
checker
{
type hierarchical
sig-type rsa-sha256
sig-type ecdsa-sha256
}
The sig-type key should be optional and repeatable.
If sig-type is present, the packet must have any one of the specified SignatureTypes.
If sig-type is absent, the packet may have any SignatureType.
The syntax of sig-type value is to be determined.
It should at least allow specifying the signature algorithm, and could be extended to also specify minimum key length.
Updated by Junxiao Shi over 3 years ago
- Related to Bug #4524: validator_config::Checker should enforce sig-type check added
Updated by Junxiao Shi over 3 years ago
- Status changed from New to Duplicate
#4524 used to be temporarily removing the sig-type configuration, but it has evolved to implement that check instead.
Thus, this issue becomes a duplicate.
Note that the #4524 implementation differs from the above proposal in several ways:
- sig-type config is not repeatable.
- Default is SignatureType=3, not "any".
- There's no minimal key length restriction.
Updated by Davide Pesavento over 3 years ago
We still want to implement support for multiple signature types in the same checker at some point, so this is not a duplicate.
Updated by Junxiao Shi over 3 years ago
Davide Pesavento wrote in #note-3:
We still want to implement support for multiple signature types in the same checker
It isn't strictly necessary. Policy author can write several parallel checkers, one for each acceptable signature type.
Updated by Alex Afanasyev over 3 years ago
- Subject changed from ValidatorConfig: sig-type restriction to ValidatorConfig: multiple sig-type restrictions in a single checker
Updated by Davide Pesavento 11 months ago
- Tags changed from security, ValidatorConfig to ValidatorConfig