<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-2">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>When I dump the certificate I get the correct name:</p>
<p><span>ndnsec-dump-certificate -i -p /root/site1</span></p>
<p><span>Certificate name:<br>
/root/site1/KEY/%AF%C7%D8y3%5De%06/NA/%FD%00%00%01_AR%9B%1C</span></p>
<p><span> Key Locator: Name=/root/KEY/%AC%FD%1A%A9%CA%9A%A5%C3<br>
</span></p>
<p><span><br>
</span></p>
<p><span>However, when I use it to sign, the name I get at the
consumer is:</span></p>
<p><span> /root/site1/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_N%9E%0Aw<br>
</span></p>
<p><span><br>
</span></p>
<p><span>The "NA" component is missing and that's the cause of the
problem. <br>
</span></p>
<p><span><br>
</span></p>
<p>In some tutorials, people submit "-N /root/site1" parameter to
the <span>ndnsec-certgen command. However, in the newest version,
this option is not present. Could it be the problem?<br>
</span></p>
<p><span><br>
</span></p>
<p><br>
</p>
<p><br>
</p>
<p>/root/site1/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_N%9E%0Aw<br>
</p>
<br>
<div class="moz-cite-prefix">On 24/10/17 15:10, Muktadir R Chowdhury
(mrchwdhr) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM2PR04MB480240EE1532C11E7C1588ADA470@DM2PR04MB480.namprd04.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-2">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p>The value for <span>KEY_COMPONENT_OFFSET is -4. That means
you get the 4th component from the last. Another way of
saying this is that you have three more component after KEY.</span></p>
<p><span><br>
</span></p>
<p><span>Your key/cert creation looks fine.</span></p>
<p><span>You can check the name of the certificate using this
command:</span></p>
<p><span>ndnsec-dump-certificate -i -p /root,</span></p>
<p><span>ndnsec-dump-certificate -i -p /root/site1</span></p>
<p><span><br>
</span></p>
<p><span>Just make sure the data that contains the certificate
is same as the name of the certificate.</span></p>
<p><span><br>
</span></p>
<p><span>Muktadir</span></p>
<p><span><br>
</span></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> Michał
Król <a class="moz-txt-link-rfc2396E" href="mailto:m.krol@ucl.ac.uk"><m.krol@ucl.ac.uk></a><br>
<b>Sent:</b> Tuesday, October 24, 2017 7:54:44 PM<br>
<b>To:</b> Muktadir R Chowdhury (mrchwdhr);
<a class="moz-txt-link-abbreviated" href="mailto:ndn-interest@lists.cs.ucla.edu">ndn-interest@lists.cs.ucla.edu</a><br>
<b>Subject:</b> Re: [Ndn-interest] Complete trust management
from scratch in ndn-cxx</font>
<div> </div>
</div>
<div>
<p>Thanks for your message Muktadir. However, it still looks
like the <key-owner-prefix> can have only one component.
<br>
</p>
<p><br>
</p>
<p>When I send an Interest for "/root", use identity "/root" to
sign and data name "root" it works fine. But when I send an
interest for "/root/site1", use identity "/root/site1" to sign
and data name "root/site1" it doesn't, because the check in
ndn-cxx is expecting "KEY" and I have "site1" now as the
second component. I tried to set the site1 signed certificate
as the trust anchor in the config file, but it still doesn't
help.
<br>
</p>
<p><br>
</p>
<p>The check I'm talking about is in
./src/security/v2/certificate.cpp line 132.
KEY_COMPONENT_OFFSET points to the wrong name component. Maybe
there's a problem when I'm generating the identities?</p>
<p>I do it like this:</p>
<p>ndnsec-keygen /root | tee root.ndncert | ndnsec-cert-install
-<br>
ndnsec-keygen /root/site1 > site1.req<br>
ndnsec-certgen -s /root/ site1.req > site1.ndncert<br>
ndnsec-cert-install -f site1.ndncert</p>
<p><br>
</p>
<p>Once again, thanks a lot for your help,</p>
<p>Michał<br>
</p>
<br>
<div class="moz-cite-prefix">On 23/10/17 21:35, Muktadir R
Chowdhury (mrchwdhr) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM2PR04MB48046908D1186D00E63424ADA460@DM2PR04MB480.namprd04.prod.outlook.com">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p>Hi,</p>
<p>When your producer sends the certificate make sure that
the name of the data is the name of the certificate.
Because the receiver will use the data packet to construct
the certificate. If the data name does not follow the
certificate naming convention, the constructor for
Certificate will throw the error you reported.</p>
<p> </p>
<p>Please note that certificate name and key name are
different.</p>
<p>Key name: <key-owner-prefix>/KEY/<key-id>, </p>
<p>Certificate name: <span style="font-family: Calibri,
Helvetica, sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols; font-size:
16px;"><key-owner-prefix</span><span
style="font-family: Calibri, Helvetica, sans-serif,
Helvetica, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe
UI Symbol", "Android Emoji",
EmojiSymbols; font-size: 16px;">>/KEY/<key-id>/<issuer-id>/<version-id>.</span></p>
<p><span style="font-family: Calibri, Helvetica, sans-serif,
Helvetica, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe
UI Symbol", "Android Emoji",
EmojiSymbols; font-size: 16px;"><br>
</span></p>
<p><span style="font-family: Calibri, Helvetica, sans-serif,
Helvetica, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe
UI Symbol", "Android Emoji",
EmojiSymbols; font-size: 16px;">For certificate name the
library is expecting three more components after the
"KEY" component.</span></p>
<p><span style="font-family: Calibri, Helvetica, sans-serif,
Helvetica, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe
UI Symbol", "Android Emoji",
EmojiSymbols; font-size: 16px;"><br>
</span></p>
<p><span style="font-family: Calibri, Helvetica, sans-serif,
Helvetica, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe
UI Symbol", "Android Emoji",
EmojiSymbols; font-size: 16px;">Let me know if you have
any more questions.</span></p>
<p><span style="font-family: Calibri, Helvetica, sans-serif,
Helvetica, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe
UI Symbol", "Android Emoji",
EmojiSymbols; font-size: 16px;"><br>
</span></p>
<p><span style="font-family: Calibri, Helvetica, sans-serif,
Helvetica, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe
UI Symbol", "Android Emoji",
EmojiSymbols; font-size: 16px;">Muktadir</span></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Ndn-interest
<a class="moz-txt-link-rfc2396E"
href="mailto:ndn-interest-bounces@lists.cs.ucla.edu"
moz-do-not-send="true">
<ndn-interest-bounces@lists.cs.ucla.edu></a> on
behalf of Michał Król <a class="moz-txt-link-rfc2396E"
href="mailto:m.krol@ucl.ac.uk" moz-do-not-send="true">
<m.krol@ucl.ac.uk></a><br>
<b>Sent:</b> Sunday, October 22, 2017 7:28:45 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="mailto:Matteo.Bertolino@eurecom.fr"
moz-do-not-send="true">
Matteo.Bertolino@eurecom.fr</a>; <a
class="moz-txt-link-abbreviated"
href="mailto:ndn-interest@lists.cs.ucla.edu"
moz-do-not-send="true">
ndn-interest@lists.cs.ucla.edu</a><br>
<b>Subject:</b> Re: [Ndn-interest] Complete trust
management from scratch in ndn-cxx</font>
<div> </div>
</div>
<div>
<p>I looked a bit deeper in the code and I found the reason
of the problem. <br>
</p>
<p>ndn-cxx is expecting "KEY" as the second component in the
certificate name. However, my certificate name is:
"/root/publisher/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_D8%F1%A4",
so "KEY" is the third component. </p>
<p>When I changed the code to put "/root/" in the Interest
instead of "/root/site1" it solved the problem and the
signature is verified correctly. In future experiments I
would like to implement a hierarchy of trust. Do you know
what is the problem here?</p>
<p>Best,</p>
<p>Michał<br>
</p>
<br>
<div class="moz-cite-prefix">On 17/10/17 10:49, Michał Król
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d78599a8-d4de-1a20-0b2a-036d1566c8d8@ucl.ac.uk">
<p>Hi Matteo, <br>
</p>
<p>thanks for your message. It's just a formatting
problem. For some reason my mail client decide to
replace tabs with "/" and "?". There are not present in
the files though.
<br>
</p>
<p>I've seen your tutorial before. Actually, it was the
only complete solution it could find online, so I was
basing heavily on it. Thank you. My setup seems only
slightly different, but I still can't make it work.
<br>
</p>
<p>Best,</p>
<p>Michał<br>
</p>
<p><br>
</p>
<br>
<blockquote type="cite"
cite="mid:EAB20BA3-4E53-44A8-8CF9-5C1DF292037F@ucl.ac.uk">
<br class="">
<div style=""><br class="">
<blockquote type="cite" class="">
<div class="">Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font,
Helvetica Neue, Helvetica, sans-serif;
color:rgba(0, 0, 0, 1.0);" class=""><b class="">From:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue, Helvetica,
sans-serif;" class="">Matteo Bertolino <<a
href="mailto:Matteo.Bertolino@eurecom.fr"
class="" moz-do-not-send="true">Matteo.Bertolino@eurecom.fr</a>><br
class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font,
Helvetica Neue, Helvetica, sans-serif;
color:rgba(0, 0, 0, 1.0);" class=""><b class="">Subject:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue, Helvetica,
sans-serif;" class=""><b class="">Re:
[Ndn-interest] Complete trust management from
scratch in ndn-cxx</b><br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font,
Helvetica Neue, Helvetica, sans-serif;
color:rgba(0, 0, 0, 1.0);" class=""><b class="">Date:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue, Helvetica,
sans-serif;" class="">16 October 2017 19:49:16
BST<br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font,
Helvetica Neue, Helvetica, sans-serif;
color:rgba(0, 0, 0, 1.0);" class=""><b class="">To:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue, Helvetica,
sans-serif;" class=""><<a
href="mailto:ndn-interest@lists.cs.ucla.edu"
class="" moz-do-not-send="true">ndn-interest@lists.cs.ucla.edu</a>><br
class="">
</span></div>
<br class="">
<div class="">Hello,<br class="">
why do you have the "//" in each line of the
validator?<br class="">
I am by phone so I cannot provide you easily a
good answer, but you can find a completed and
commented use case here:
<a
href="https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf"
class="" moz-do-not-send="true">
https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf</a><br
class="">
<br class="">
Section 3. Write me if u need some clarifications.<br
class="">
Matteo<br class="">
<br class="">
<br class="">
Quoting Micha? Król <<a
href="mailto:m.krol@ucl.ac.uk" class=""
moz-do-not-send="true">m.krol@ucl.ac.uk</a>>:<br
class="">
<br class="">
<blockquote type="cite" class="">Dear all,<br
class="">
<br class="">
I'm struggling with setting up a simple
trust/security system in NDN. I<br class="">
find it difficult to find an updated set
information that will work for<br class="">
all system components. Please correct me if I
misunderstood something.<br class="">
<br class="">
I have a very simple scenario: one producer and
one consumer on one<br class="">
machine. I want to have a central entity (root)
and a publisher<br class="">
(publisher) that will be allowed to publish
trusted content.<br class="">
<br class="">
I first create the root certificate using ndnsec
and selfsign it: /<br class="">
/<br class="">
<br class="">
/ ndnsec-key-gen -n /root//<br class="">
/<br class="">
<br class="">
/ ndnsec-sign-req /root > root.cert/<br
class="">
<br class="">
Next I create a certificate for the publisher
and sign it using the root<br class="">
certificate:<br class="">
<br class="">
/ ndnsec-key-gen -n /root/publisher >
unsigned_publisher.cert//<br class="">
// ndnsec-cert-gen -S 201510080000 -E
202010080000 -s /root -i<br class="">
/root/publisher -r unsigned_publisher.cert >
publisher.cert/<br class="">
<br class="">
<br class="">
I then used the publisher identity to sign the
data:<br class="">
<br class="">
/ m_ident =
m_keyChain.createIdentity(Name("/root/publisher"));//<br
class="">
// m_info =
ndn::security::SigningInfo(m_ident);/<br
class="">
<br class="">
/ m_keyChain.sign(*data, m_info);/<br
class="">
<br class="">
On the consumer side I use a validator to
validate data:<br class="">
<br class="">
/ m_validator->load("sample.cfg");/<br
class="">
<br class="">
/ m_validator->validate (data,//<br
class="">
//
ndn::bind(&Consumer::onValidated, this,
_1),//<br class="">
//
ndn::bind(&Consumer::onValidationFailed,
this, _1, _2));/<br class="">
<br class="">
<br class="">
I want to trust everything signed with the
publishers key. The<br class="">
sample.cfg is:<br class="">
<br class="">
/ rule//<br class="">
// {//<br class="">
// id "Sample Rule"//<br class="">
// for data//<br class="">
// filter//<br class="">
// {//<br class="">
// type name//<br class="">
// name /root/publisher//<br class="">
// relation is-prefix-of//<br class="">
// }//<br class="">
// checker//<br class="">
// {//<br class="">
// type hierarchical//<br class="">
// sig-type rsa-sha256//<br class="">
// }//<br class="">
// }//<br class="">
//<br class="">
// trust-anchor//<br class="">
// {//<br class="">
// type file//<br class="">
// file-name "root.cert"//<br class="">
// }/<br class="">
<br class="">
<br class="">
Now, when I launch the consumer, it issues an
interest, gets the data,<br class="">
issues another interest to get the key<br
class="">
(/root/publisher/KEY/4%05i%7E%3C%F6%87%2F/%FD%00%00%01_%25%8Bz%80), but<br
class="">
ends up with an error:<br class="">
<br class="">
/ Malformed certificate (Name does not follow
the naming convention<br class="">
for certificate). /<br class="">
<br class="">
<br class="">
My question is now, is it how I'm supposed to do
this? If yes, what's<br class="">
the problem here? If not, is there any example
tutorial, walking through<br class="">
the all steps of managing trust in NDN (ndnsec,
app, validator)?<br class="">
<br class="">
Thanks in advance,<br class="">
<br class="">
Micha?<br class="">
<br class="">
<br class="">
</blockquote>
<br class="">
<br class="">
<br class="">
-------------------------------------------------------------------------------<br
class="">
This message was sent using EURECOM Webmail: <a
href="http://webmail.eurecom.fr" class=""
moz-do-not-send="true">
http://webmail.eurecom.fr</a><br class="">
<br class="">
_______________________________________________<br
class="">
Ndn-interest mailing list<br class="">
<a href="mailto:Ndn-interest@lists.cs.ucla.edu"
class="" moz-do-not-send="true">Ndn-interest@lists.cs.ucla.edu</a><br
class="">
<a class="moz-txt-link-freetext"
href="http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest"
moz-do-not-send="true">http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</blockquote>
<br>
</blockquote>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<br>
</body>
</html>