Feature #5148
open
ValidatorConfig: multiple sig-type restrictions in a single checker
Added by Junxiao Shi almost 4 years ago.
Updated about 1 year ago.
Description
In ValidatorConfig, it's sometimes useful to specify a restriction on SignatureType.
For example, a checker could be specified as:
checker
{
type hierarchical
sig-type rsa-sha256
sig-type ecdsa-sha256
}
The sig-type key should be optional and repeatable.
If sig-type is present, the packet must have any one of the specified SignatureTypes.
If sig-type is absent, the packet may have any SignatureType.
The syntax of sig-type value is to be determined.
It should at least allow specifying the signature algorithm, and could be extended to also specify minimum key length.
- Related to Bug #4524: validator_config::Checker should enforce sig-type check added
- Status changed from New to Duplicate
#4524 used to be temporarily removing the sig-type configuration, but it has evolved to implement that check instead.
Thus, this issue becomes a duplicate.
Note that the #4524 implementation differs from the above proposal in several ways:
- sig-type config is not repeatable.
- Default is SignatureType=3, not "any".
- There's no minimal key length restriction.
We still want to implement support for multiple signature types in the same checker at some point, so this is not a duplicate.
Davide Pesavento wrote in #note-3:
We still want to implement support for multiple signature types in the same checker
It isn't strictly necessary. Policy author can write several parallel checkers, one for each acceptable signature type.
- Subject changed from ValidatorConfig: sig-type restriction to ValidatorConfig: multiple sig-type restrictions in a single checker
- Status changed from Duplicate to New
- Tags changed from security, ValidatorConfig to ValidatorConfig
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by