<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-2">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>If I understood well, the API says, that createIdentity() just
retrieves the identity if it's already in the system (even if the
name is somewhat misleading):</p>
<p><br>
</p>
<p>"This method will check if the identity exists in PIB and whether
the identity has a default key and default certificate. If the
identity does not exist, this method will create the identity in
PIB. If the identity's default key does not exist, this method
will create a key pair and set it as the identity's default key.
If the key's default certificate is missing, this method will
create a self-signed certificate for the key."</p>
<p><br>
Anyway, which other method should be used to retrieve the
certificate? I couldn't find any "good practice" document about
it's supposed to be done. <br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 24/10/17 16:02, Muktadir R Chowdhury
(mrchwdhr) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM2PR04MB4804D84D80A61C349C6ECD5DA470@DM2PR04MB480.namprd04.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-2">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p>You don't have to create the site identity again. You are
creating it using ndnsec-key-gen.</p>
<p><br>
</p>
<p>Just use the identity name to get the certificate, put it in
the data packet, name the data packet as the name of the cert,
then send it.</p>
<p><br>
</p>
<p>Muktadir</p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> Michał
Król <a class="moz-txt-link-rfc2396E" href="mailto:m.krol@ucl.ac.uk"><m.krol@ucl.ac.uk></a><br>
<b>Sent:</b> Tuesday, October 24, 2017 8:32:00 PM<br>
<b>To:</b> Muktadir R Chowdhury (mrchwdhr);
<a class="moz-txt-link-abbreviated" href="mailto:ndn-interest@lists.cs.ucla.edu">ndn-interest@lists.cs.ucla.edu</a><br>
<b>Subject:</b> Re: [Ndn-interest] Complete trust management
from scratch in ndn-cxx</font>
<div> </div>
</div>
<div>
<p>Sure, in the constructor I use:</p>
<p> m_face.setInterestFilter("/root/site1",<br>
bind(&Producer::onInterest,
this, _1, _2),<br>
RegisterPrefixSuccessCallback(),<br>
bind(&Producer::onRegisterFailed, this, _1, _2));<br>
<br>
<br>
m_ident = m_keyChain.createIdentity(Name("/root/site1"));<br>
m_info = ndn::security::SigningInfo(m_ident);</p>
<p><br>
</p>
<p>And then in when an interest arrives I use this to sign the
data:</p>
<p> m_keyChain.sign(*data, m_info);<br>
</p>
<br>
<div class="moz-cite-prefix">On 24/10/17 15:28, Muktadir R
Chowdhury (mrchwdhr) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM2PR04MB4803A42BE6896F8F771194BDA470@DM2PR04MB480.namprd04.prod.outlook.com">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p>How are you serving the certificate?</p>
<p>Can you share the code where producer is sending the
certificate?</p>
<p><br>
</p>
<p>Muktadir</p>
<p><br>
</p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Michał Król
<a class="moz-txt-link-rfc2396E"
href="mailto:m.krol@ucl.ac.uk" moz-do-not-send="true"><m.krol@ucl.ac.uk></a><br>
<b>Sent:</b> Tuesday, October 24, 2017 8:24:35 PM<br>
<b>To:</b> Muktadir R Chowdhury (mrchwdhr); <a
class="moz-txt-link-abbreviated"
href="mailto:ndn-interest@lists.cs.ucla.edu"
moz-do-not-send="true">
ndn-interest@lists.cs.ucla.edu</a><br>
<b>Subject:</b> Re: [Ndn-interest] Complete trust
management from scratch in ndn-cxx</font>
<div> </div>
</div>
<div>
<p>When I dump the certificate I get the correct name:</p>
<p><span>ndnsec-dump-certificate -i -p /root/site1</span></p>
<p><span>Certificate name:<br>
/root/site1/KEY/%AF%C7%D8y3%5De%06/NA/%FD%00%00%01_AR%9B%1C</span></p>
<p><span> Key Locator:
Name=/root/KEY/%AC%FD%1A%A9%CA%9A%A5%C3<br>
</span></p>
<p><span><br>
</span></p>
<p><span>However, when I use it to sign, the name I get at
the consumer is:</span></p>
<p><span> /root/site1/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_N%9E%0Aw<br>
</span></p>
<p><span><br>
</span></p>
<p><span>The "NA" component is missing and that's the cause
of the problem. <br>
</span></p>
<p><span><br>
</span></p>
<p>In some tutorials, people submit "-N /root/site1"
parameter to the <span>ndnsec-certgen command. However,
in the newest version, this option is not present. Could
it be the problem?<br>
</span></p>
<p><span><br>
</span></p>
<p><br>
</p>
<p><br>
</p>
<p>/root/site1/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_N%9E%0Aw<br>
</p>
<br>
<div class="moz-cite-prefix">On 24/10/17 15:10, Muktadir R
Chowdhury (mrchwdhr) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM2PR04MB480240EE1532C11E7C1588ADA470@DM2PR04MB480.namprd04.prod.outlook.com">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p>The value for <span>KEY_COMPONENT_OFFSET is -4. That
means you get the 4th component from the last.
Another way of saying this is that you have three
more component after KEY.</span></p>
<p><span><br>
</span></p>
<p><span>Your key/cert creation looks fine.</span></p>
<p><span>You can check the name of the certificate using
this command:</span></p>
<p><span>ndnsec-dump-certificate -i -p /root,</span></p>
<p><span>ndnsec-dump-certificate -i -p /root/site1</span></p>
<p><span><br>
</span></p>
<p><span>Just make sure the data that contains the
certificate is same as the name of the certificate.</span></p>
<p><span><br>
</span></p>
<p><span>Muktadir</span></p>
<p><span><br>
</span></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> Michał Król
<a class="moz-txt-link-rfc2396E"
href="mailto:m.krol@ucl.ac.uk"
moz-do-not-send="true">
<m.krol@ucl.ac.uk></a><br>
<b>Sent:</b> Tuesday, October 24, 2017 7:54:44 PM<br>
<b>To:</b> Muktadir R Chowdhury (mrchwdhr); <a
class="moz-txt-link-abbreviated"
href="mailto:ndn-interest@lists.cs.ucla.edu"
moz-do-not-send="true">
ndn-interest@lists.cs.ucla.edu</a><br>
<b>Subject:</b> Re: [Ndn-interest] Complete trust
management from scratch in ndn-cxx</font>
<div> </div>
</div>
<div>
<p>Thanks for your message Muktadir. However, it still
looks like the <key-owner-prefix> can have only
one component.
<br>
</p>
<p><br>
</p>
<p>When I send an Interest for "/root", use identity
"/root" to sign and data name "root" it works fine.
But when I send an interest for "/root/site1", use
identity "/root/site1" to sign and data name
"root/site1" it doesn't, because the check in ndn-cxx
is expecting "KEY" and I have "site1" now as the
second component. I tried to set the site1 signed
certificate as the trust anchor in the config file,
but it still doesn't help.
<br>
</p>
<p><br>
</p>
<p>The check I'm talking about is in
./src/security/v2/certificate.cpp line 132.
KEY_COMPONENT_OFFSET points to the wrong name
component. Maybe there's a problem when I'm generating
the identities?</p>
<p>I do it like this:</p>
<p>ndnsec-keygen /root | tee root.ndncert |
ndnsec-cert-install -<br>
ndnsec-keygen /root/site1 > site1.req<br>
ndnsec-certgen -s /root/ site1.req > site1.ndncert<br>
ndnsec-cert-install -f site1.ndncert</p>
<p><br>
</p>
<p>Once again, thanks a lot for your help,</p>
<p>Michał<br>
</p>
<br>
<div class="moz-cite-prefix">On 23/10/17 21:35, Muktadir
R Chowdhury (mrchwdhr) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM2PR04MB48046908D1186D00E63424ADA460@DM2PR04MB480.namprd04.prod.outlook.com">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p>Hi,</p>
<p>When your producer sends the certificate make
sure that the name of the data is the name of the
certificate. Because the receiver will use the
data packet to construct the certificate. If the
data name does not follow the certificate naming
convention, the constructor for Certificate will
throw the error you reported.</p>
<p> </p>
<p>Please note that certificate name and key name
are different.</p>
<p>Key name:
<key-owner-prefix>/KEY/<key-id>, </p>
<p>Certificate name: <span style="font-family:
Calibri, Helvetica, sans-serif, Helvetica,
EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji,
"Segoe UI Symbol", "Android
Emoji", EmojiSymbols; font-size: 16px;"><key-owner-prefix</span><span
style="font-family: Calibri, Helvetica,
sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;
font-size: 16px;">>/KEY/<key-id>/<issuer-id>/<version-id>.</span></p>
<p><span style="font-family: Calibri, Helvetica,
sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;
font-size: 16px;"><br>
</span></p>
<p><span style="font-family: Calibri, Helvetica,
sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;
font-size: 16px;">For certificate name the
library is expecting three more components after
the "KEY" component.</span></p>
<p><span style="font-family: Calibri, Helvetica,
sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;
font-size: 16px;"><br>
</span></p>
<p><span style="font-family: Calibri, Helvetica,
sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;
font-size: 16px;">Let me know if you have any
more questions.</span></p>
<p><span style="font-family: Calibri, Helvetica,
sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;
font-size: 16px;"><br>
</span></p>
<p><span style="font-family: Calibri, Helvetica,
sans-serif, Helvetica, EmojiFont, "Apple
Color Emoji", "Segoe UI Emoji",
NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;
font-size: 16px;">Muktadir</span></p>
</div>
<hr style="display:inline-block;width:98%"
tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> Ndn-interest
<a class="moz-txt-link-rfc2396E"
href="mailto:ndn-interest-bounces@lists.cs.ucla.edu"
moz-do-not-send="true">
<ndn-interest-bounces@lists.cs.ucla.edu></a>
on behalf of Michał Król <a
class="moz-txt-link-rfc2396E"
href="mailto:m.krol@ucl.ac.uk"
moz-do-not-send="true">
<m.krol@ucl.ac.uk></a><br>
<b>Sent:</b> Sunday, October 22, 2017 7:28:45 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="mailto:Matteo.Bertolino@eurecom.fr"
moz-do-not-send="true">
Matteo.Bertolino@eurecom.fr</a>; <a
class="moz-txt-link-abbreviated"
href="mailto:ndn-interest@lists.cs.ucla.edu"
moz-do-not-send="true">
ndn-interest@lists.cs.ucla.edu</a><br>
<b>Subject:</b> Re: [Ndn-interest] Complete trust
management from scratch in ndn-cxx</font>
<div> </div>
</div>
<div>
<p>I looked a bit deeper in the code and I found the
reason of the problem. <br>
</p>
<p>ndn-cxx is expecting "KEY" as the second
component in the certificate name. However, my
certificate name is:
"/root/publisher/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_D8%F1%A4",
so "KEY" is the third component. </p>
<p>When I changed the code to put "/root/" in the
Interest instead of "/root/site1" it solved the
problem and the signature is verified correctly.
In future experiments I would like to implement a
hierarchy of trust. Do you know what is the
problem here?</p>
<p>Best,</p>
<p>Michał<br>
</p>
<br>
<div class="moz-cite-prefix">On 17/10/17 10:49,
Michał Król wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d78599a8-d4de-1a20-0b2a-036d1566c8d8@ucl.ac.uk">
<p>Hi Matteo, <br>
</p>
<p>thanks for your message. It's just a formatting
problem. For some reason my mail client decide
to replace tabs with "/" and "?". There are not
present in the files though.
<br>
</p>
<p>I've seen your tutorial before. Actually, it
was the only complete solution it could find
online, so I was basing heavily on it. Thank
you. My setup seems only slightly different, but
I still can't make it work.
<br>
</p>
<p>Best,</p>
<p>Michał<br>
</p>
<p><br>
</p>
<br>
<blockquote type="cite"
cite="mid:EAB20BA3-4E53-44A8-8CF9-5C1DF292037F@ucl.ac.uk">
<br class="">
<div style=""><br class="">
<blockquote type="cite" class="">
<div class="">Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<div style="margin-top: 0px; margin-right:
0px; margin-bottom: 0px; margin-left:
0px;" class="">
<span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0,
0, 1.0);" class=""><b class="">From:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">Matteo
Bertolino <<a
href="mailto:Matteo.Bertolino@eurecom.fr"
class="" moz-do-not-send="true">Matteo.Bertolino@eurecom.fr</a>><br
class="">
</span></div>
<div style="margin-top: 0px; margin-right:
0px; margin-bottom: 0px; margin-left:
0px;" class="">
<span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0,
0, 1.0);" class=""><b class="">Subject:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><b
class="">Re: [Ndn-interest] Complete
trust management from scratch in
ndn-cxx</b><br class="">
</span></div>
<div style="margin-top: 0px; margin-right:
0px; margin-bottom: 0px; margin-left:
0px;" class="">
<span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0,
0, 1.0);" class=""><b class="">Date:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">16
October 2017 19:49:16 BST<br class="">
</span></div>
<div style="margin-top: 0px; margin-right:
0px; margin-bottom: 0px; margin-left:
0px;" class="">
<span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0,
0, 1.0);" class=""><b class="">To:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><<a
href="mailto:ndn-interest@lists.cs.ucla.edu" class=""
moz-do-not-send="true">ndn-interest@lists.cs.ucla.edu</a>><br
class="">
</span></div>
<br class="">
<div class="">Hello,<br class="">
why do you have the "//" in each line of
the validator?<br class="">
I am by phone so I cannot provide you
easily a good answer, but you can find a
completed and commented use case here:
<a
href="https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf"
class="" moz-do-not-send="true">
https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf</a><br
class="">
<br class="">
Section 3. Write me if u need some
clarifications.<br class="">
Matteo<br class="">
<br class="">
<br class="">
Quoting Micha? Król <<a
href="mailto:m.krol@ucl.ac.uk" class=""
moz-do-not-send="true">m.krol@ucl.ac.uk</a>>:<br
class="">
<br class="">
<blockquote type="cite" class="">Dear all,<br
class="">
<br class="">
I'm struggling with setting up a simple
trust/security system in NDN. I<br
class="">
find it difficult to find an updated set
information that will work for<br
class="">
all system components. Please correct me
if I misunderstood something.<br
class="">
<br class="">
I have a very simple scenario: one
producer and one consumer on one<br
class="">
machine. I want to have a central entity
(root) and a publisher<br class="">
(publisher) that will be allowed to
publish trusted content.<br class="">
<br class="">
I first create the root certificate
using ndnsec and selfsign it: /<br
class="">
/<br class="">
<br class="">
/ ndnsec-key-gen -n /root//<br
class="">
/<br class="">
<br class="">
/ ndnsec-sign-req /root >
root.cert/<br class="">
<br class="">
Next I create a certificate for the
publisher and sign it using the root<br
class="">
certificate:<br class="">
<br class="">
/ ndnsec-key-gen -n /root/publisher
> unsigned_publisher.cert//<br
class="">
// ndnsec-cert-gen -S 201510080000 -E
202010080000 -s /root -i<br class="">
/root/publisher -r
unsigned_publisher.cert >
publisher.cert/<br class="">
<br class="">
<br class="">
I then used the publisher identity to
sign the data:<br class="">
<br class="">
/ m_ident =
m_keyChain.createIdentity(Name("/root/publisher"));//<br
class="">
// m_info =
ndn::security::SigningInfo(m_ident);/<br
class="">
<br class="">
/ m_keyChain.sign(*data, m_info);/<br
class="">
<br class="">
On the consumer side I use a validator
to validate data:<br class="">
<br class="">
/
m_validator->load("sample.cfg");/<br
class="">
<br class="">
/ m_validator->validate (data,//<br
class="">
//
ndn::bind(&Consumer::onValidated,
this, _1),//<br class="">
//
ndn::bind(&Consumer::onValidationFailed,
this, _1, _2));/<br class="">
<br class="">
<br class="">
I want to trust everything signed with
the publishers key. The<br class="">
sample.cfg is:<br class="">
<br class="">
/ rule//<br class="">
// {//<br class="">
// id "Sample Rule"//<br class="">
// for data//<br class="">
// filter//<br class="">
// {//<br class="">
// type name//<br class="">
// name /root/publisher//<br
class="">
// relation is-prefix-of//<br
class="">
// }//<br class="">
// checker//<br class="">
// {//<br class="">
// type hierarchical//<br
class="">
// sig-type rsa-sha256//<br
class="">
// }//<br class="">
// }//<br class="">
//<br class="">
// trust-anchor//<br class="">
// {//<br class="">
// type file//<br class="">
// file-name "root.cert"//<br
class="">
// }/<br class="">
<br class="">
<br class="">
Now, when I launch the consumer, it
issues an interest, gets the data,<br
class="">
issues another interest to get the key<br
class="">
(/root/publisher/KEY/4%05i%7E%3C%F6%87%2F/%FD%00%00%01_%25%8Bz%80), but<br
class="">
ends up with an error:<br class="">
<br class="">
/ Malformed certificate (Name does
not follow the naming convention<br
class="">
for certificate). /<br class="">
<br class="">
<br class="">
My question is now, is it how I'm
supposed to do this? If yes, what's<br
class="">
the problem here? If not, is there any
example tutorial, walking through<br
class="">
the all steps of managing trust in NDN
(ndnsec, app, validator)?<br class="">
<br class="">
Thanks in advance,<br class="">
<br class="">
Micha?<br class="">
<br class="">
<br class="">
</blockquote>
<br class="">
<br class="">
<br class="">
-------------------------------------------------------------------------------<br
class="">
This message was sent using EURECOM
Webmail: <a
href="http://webmail.eurecom.fr"
class="" moz-do-not-send="true">
http://webmail.eurecom.fr</a><br
class="">
<br class="">
_______________________________________________<br class="">
Ndn-interest mailing list<br class="">
<a
href="mailto:Ndn-interest@lists.cs.ucla.edu"
class="" moz-do-not-send="true">Ndn-interest@lists.cs.ucla.edu</a><br
class="">
<a class="moz-txt-link-freetext"
href="http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest"
moz-do-not-send="true">http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</blockquote>
<br>
</blockquote>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<br>
</body>
</html>