[Ndn-interest] How to add the SecRuleRelative Rules in validator-regex?

Yingdi Yu yingdi at CS.UCLA.EDU
Mon Mar 2 11:19:40 PST 2015


The regex for key locator require “dsk-…” but the signing key is “ksk-…”.

Yingdi




> On Mar 2, 2015, at 10:19 AM, Chengyu Fan <chengy.fan at gmail.com> wrote:
> 
> Hi Alex,
> 
> I wrote a toy example to use the SecRuleRelative (the code is listed below ) . 
> 
> I thought the data should satisfy the rule, but I always get "unsatisfied" on my ubuntu 14.04.1 ... Could you tell me what's wrong with the code?
> 
> =================
>     Name dataName("/test/site2/user2");
>     dataName.append("testApp"); // the data name is /test/site2/user2/testApp
> 
>     // Create Data packet
>     static const std::string content = "HELLO WORLD";
>     shared_ptr<Data> data = make_shared<Data>();
>     data->setName(dataName);
>     data->setFreshnessPeriod(time::seconds(10));
>     data->setContent(reinterpret_cast<const uint8_t*>(content.c_str()), content.size());
> 
>     Name producerId("/test/site2/user2");
>     m_keyChain.signByIdentity(*data, producerId); // now the keyLocator is /test/site2/user2/KEY/ksk-1425277773626/ID-CERT
> 
>     SecRuleRelative rule("^(<>*)$",
>                          "^([^<KEY>]*)<KEY>(<>*)<dsk-.*><ID-CERT>$",
>                          ">", "\\1 <smb://1>", "\\1\\2 <smb://1//2>", true);
>     /*  /test/site2/user2/testApp should match the packetRegex "^(<>*)$, expand is /test/site2/user2/testApp
>         /test/site2/user2/KEY/ksk-1425277773626/ID-CERT should match the signerRegex, expand is /test/site2/user2/
>         The data name /test/site2/user2/testApp is under the signer's namespace /test/site2/user2/
>     */
> 
>     if (rule.satisfy(*data))
>       std::cout << "satisfied" << std::endl;
>     else {
>       std::cout << "unsatisfied" << std::endl;
>     }
> =================
> 
> On Mon, Mar 2, 2015 at 9:48 AM, Chengyu Fan <chengy.fan at gmail.com <mailto:chengy.fan at gmail.com>> wrote:
> Hi Alex,
> 
> Thanks for the reply.
> 
> Further questions in line.
> 
> On Sat, Feb 28, 2015 at 4:45 PM, Alex Afanasyev <alexander.afanasyev at ucla.edu <mailto:alexander.afanasyev at ucla.edu>> wrote:
> Hi Chengyu,
> 
> I assumed there is a documentation for this method, but the commit that adds it is not yet merged.  Here is the description we will have soon:
> 
>   /**
>    * @brief Construct the rule
>    * @param packetRegex regular expression to match the packet name that is qualified for the
>    *                    the rule (e.g., `^(<.*>)$`)
>    * @param signerRegex regular expression to match the the KeyLocator of the packet (e.g.,
>    *                    `^(<.*>)<KEY>(<.*>)<ID-CERT><>$`)
>    * @param comparator Defines the way expanded signer's name is matched against expanded
>    *                   packet's name.  Possible values are:
>    *                     - "is-prefix-of"
>    *                     - "is-strict-prefix-of"
>    *                     - "equal"
> 
> Which symbol refers to which value?
>  
>    * @param packetExpand Expansion rule for packet's name (e.g., `\1`)
>    * @param signerExpand Expansion rule for signer's name (e.g., `\1\2`)
>    * @param isPositive flag denoting whether the rule is positive or negative
>    *
>    * @note A packet complies with the rule only if both \p packetRegex matches the packet name
>    *       and \p signerRegex matches the KeyLocator name
> 
> According to the comparator description, I think this function also needs to test if the expanded signer's name matched against the expanded packet's name?
>  
>    */
> 
> 
>> On Feb 27, 2015, at 7:59 PM, Chengyu Fan <chengy.fan at gmail.com <mailto:chengy.fan at gmail.com>> wrote:
>> 
>> Could you tell me how the SecRuleRelative Rule works? 
>> 
>> Specifically, what's the meaning of each parameter? What conditions the rule will test to make a incoming data satisfy the rule?
>> ndn::SecRuleRelative::SecRuleRelative <http://named-data.net/doc/ndn-cxx/0.2.0/doxygen/d6/de6/classndn_1_1SecRuleRelative.html#ae75d154107abd094ad47b9195aa3f896>	(	const std::string & 	dataRegex,
>> const std::string & 	signerRegex,
>> const std::string & 	op,
>> const std::string & 	dataExpand,
>> const std::string & 	signerExpand,
>> bool 	isPositive 
>> )
>> 
>> 
>> 
>> On Fri, Feb 27, 2015 at 1:59 PM, Alex Afanasyev <alexander.afanasyev at ucla.edu <mailto:alexander.afanasyev at ucla.edu>> wrote:
>> 
>>> On Feb 27, 2015, at 12:10 PM, Chengyu Fan <chengy.fan at gmail.com <mailto:chengy.fan at gmail.com>> wrote:
>>> 
>>> Hi,
>>> 
>>> I'm trying to use the validator-regex to validate the incoming data, but I stuck at how to add the SecRuleRelative Rule.
>>> 
>>> Can somebody tell me some clues?
>>> 
>>> Specifically, I find the example in SecurityLibrary(http://redmine.named-data.net/projects/ndn-cxx/wiki/SecurityLibrary <http://redmine.named-data.net/projects/ndn-cxx/wiki/SecurityLibrary>), but I don't understand the RuleRelative rule below ...
>>> SecRuleRelative rule("^(<>*)$", "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$", 
>>>                      ">", "\\1", "\\1\\2", true);
>>> 
>>> What's the meaning of ">", "\\1", "\\1\\2" ? Can someone give me an example?
>> 
>> This is just a regular expression rules.  \\1 <> (\1, it’s just \ needs to be escaped in c++) refer to th first group of the regular expression, \\2 <> refer to the second group, etc.
>> 
>> There are many documentation sources about regexps, e.g., http://www.boost.org/doc/libs/1_57_0/libs/regex/doc/html/boost_regex/syntax/perl_syntax.html <http://www.boost.org/doc/libs/1_57_0/libs/regex/doc/html/boost_regex/syntax/perl_syntax.html>.
>> 
>> The only difference in our regular expressions is the fact that it is defined over name components, not just strings.  There is a documentation for this at http://named-data.net/doc/ndn-cxx/current/tutorials/utils-ndn-regex.html <http://named-data.net/doc/ndn-cxx/current/tutorials/utils-ndn-regex.html>
>> 
>>>> Alex
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Thanks,
>> 
>> Chengyu
> 
> 
> 
> 
> -- 
> Thanks,
> 
> Chengyu
> 
> 
> 
> -- 
> Thanks,
> 
> Chengyu
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu <mailto:Ndn-interest at lists.cs.ucla.edu>
> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest <http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20150302/5e7d8b2b/attachment.html>


More information about the Ndn-interest mailing list