Project

General

Profile

Bug #4339

Updated by Alex Afanasyev about 7 years ago

`checker.key-locator` is incorrectly interpreted as identity name instead of, as the name suggests, name First we show an example of the key. validator config: 

 This result in authentication failure with NLSR rules: 

 ``` 
        
 rule 
         
 { 
           
   id "NLSR ControlCommand Rule" 
           
   for interest 
           
   filter 
           
   { 
             
      type name 
             
      regex ^<localhost><nlsr><prefix-update>[<advertise><withdraw>]<><><>$ 
           
   } 
           
   checker 
           
   { 
             
      type customized 
             
      sig-type rsa-sha256 
             
      key-locator 
             
      { 
               
          type name 
               
          regex ^<>*<KEY><>$ ; TODO: correct regex for key name 
             ^<>*$ 
      } 
           
   } 
         
 } 
         rule 
         { 
           id "NLSR Hierarchy Rule" 
           for data 
           filter 
           { 
             type name 
             regex ^[^<KEY>]*<KEY><ksk-.*><ID-CERT><>$ 
           } 
           checker 
           { 
             type hierarchical 
             sig-type rsa-sha256 
           } 
         } 
         trust-anchor 
         { 
          type file 
          file-name "site.cert" 
         } 
 ``` 

 Expected: success to match command interests and then The value of field checker::key-locator is `^<>*$`. There is somehow an inconsistency here: In security v1, the value here will check against trust anchor the keylocator value (cert name); while in current implementation of security v2, this value check only the identity name of the keylocator's value (key name). 

 Actual: failure to pass To hold the first checker 

 ``` consistency, we should nail down the configuration definition:  

 We call the KeyLocator value in the packet `key name`. 
 1507222563.583 DEBUG: [PrefixUpdateProcessor] reject /localhost/nlsr/prefix-update/advertise/h%19%07%17%08%06prefix%08%02to%08%09advertise/%00%00%01I%9DY%8C%AA/%BF%D0Xr%9B%AF%8E%FD/%16%3D%1B%01%03%1C8%076%08%03edu%08%09test-site%08%0A%C1.Operator%08%09%FD%00%00%01I%9DY%8C%A0%08%03KEY%08%08%C1R%20%29%87O%CF%FE/%17H0F%02%21%00%BB-ZG%0D%06%B6%89%E3%22t%FD%3A%B5%94.WGS%F7%C1%01%15%84%7D%F6%F5t%C4%A8%A5%B8%02%21%00%C8T%12%27%9C%2C%0D%060x%15%C4%DE%03P%B5%CD%88.%AE%B5%D8%5Cc%04_%A2%E2%8A%D9%F3%02 signer=? Validation policy error (KeyLocator There are three types of keylocator: name relation, regex, hyper-relation 
 * For name relation, the value in the field key-locator should match the **identity name** extracted from the key name. 
 * For regex, the value in the field key-locator should match the **key name** 
 * For hyper-relation, the value in the field key-locator should check failed: regex ^<>*<KEY><>$ for packet /localhost/nlsr/prefix-update/advertise/h%19%07%17%08%06prefix%08%02to%08%09advertise/%00%00%01I%9DY%8C%AA/%BF%D0Xr%9B%AF%8E%FD is invalid (KeyLocator=/edu/test-site/%C1.Operator/%FD%00%00%01I%9DY%8C%A0/KEY/%C1R%20%29%87O%CF%FE, identity=/edu/test-site/%C1.Operator/%FD%00%00%01I%9DY%8C%A0)) 
 ``` 

 name and **key name**

Back