[Ndn-interest] Complete trust management from scratch in ndn-cxx

Michał Król m.krol at ucl.ac.uk
Sun Oct 22 06:28:45 PDT 2017


I looked a bit deeper in the code and I found the reason of the problem.

ndn-cxx is expecting "KEY" as the second component in the certificate
name. However, my certificate name is:
"/root/publisher/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_D8%F1%A4", so "KEY"
is the third component. 

When I changed the code to put "/root/" in the Interest instead of
"/root/site1" it solved the problem and the signature is verified
correctly. In future experiments I would like to implement a hierarchy
of trust. Do you know what is the problem here?

Best,

Michał


On 17/10/17 10:49, Michał Król wrote:
>
> Hi Matteo,
>
> thanks for your message. It's just a formatting problem. For some
> reason my mail client decide to replace tabs with "/" and "?". There
> are not present in the files though.
>
> I've seen your tutorial before. Actually, it was the only complete
> solution it could find online, so I was basing heavily on it. Thank
> you. My setup seems only slightly different, but I still can't make it
> work.
>
> Best,
>
> Michał
>
>
>
>>
>>
>>> Begin forwarded message:
>>>
>>> *From: *Matteo Bertolino <Matteo.Bertolino at eurecom.fr
>>> <mailto:Matteo.Bertolino at eurecom.fr>>
>>> *Subject: **Re: [Ndn-interest] Complete trust management from
>>> scratch in ndn-cxx*
>>> *Date: *16 October 2017 19:49:16 BST
>>> *To: *<ndn-interest at lists.cs.ucla.edu
>>> <mailto:ndn-interest at lists.cs.ucla.edu>>
>>>
>>> Hello,
>>> why do you have the "//" in each line of the validator?
>>> I am by phone so I cannot provide you easily a good answer, but you
>>> can find a completed and commented use case  here:
>>> https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf
>>>
>>> Section 3. Write me if u need some clarifications.
>>> Matteo
>>>
>>>
>>> Quoting Micha? Król <m.krol at ucl.ac.uk <mailto:m.krol at ucl.ac.uk>>:
>>>
>>>> Dear all,
>>>>
>>>> I'm struggling with setting up a simple trust/security system in NDN. I
>>>> find it difficult to find an updated set information that will work for
>>>> all system components. Please correct me if I misunderstood something.
>>>>
>>>> I have a very simple scenario: one producer and one consumer on one
>>>> machine. I want to have a central entity (root) and a publisher
>>>> (publisher) that will be allowed to publish trusted content.
>>>>
>>>> I first create the root certificate using ndnsec and selfsign it: /
>>>> /
>>>>
>>>> /    ndnsec-key-gen -n /root//
>>>> /
>>>>
>>>> /    ndnsec-sign-req /root > root.cert/
>>>>
>>>> Next I create a certificate for the publisher and sign it using the
>>>> root
>>>> certificate:
>>>>
>>>> /   ndnsec-key-gen -n /root/publisher > unsigned_publisher.cert//
>>>> //   ndnsec-cert-gen -S 201510080000 -E 202010080000  -s /root -i
>>>> /root/publisher -r unsigned_publisher.cert  > publisher.cert/
>>>>
>>>>
>>>> I then used the publisher identity to sign the data:
>>>>
>>>> /    m_ident = m_keyChain.createIdentity(Name("/root/publisher"));//
>>>> //    m_info = ndn::security::SigningInfo(m_ident);/
>>>>
>>>> /    m_keyChain.sign(*data, m_info);/
>>>>
>>>> On the consumer side I use a validator to validate data:
>>>>
>>>> /    m_validator->load("sample.cfg");/
>>>>
>>>> /    m_validator->validate (data,//
>>>> //            ndn::bind(&Consumer::onValidated, this, _1),//
>>>> //            ndn::bind(&Consumer::onValidationFailed, this, _1, _2));/
>>>>
>>>>
>>>> I want to trust everything signed with the publishers key. The
>>>> sample.cfg is:
>>>>
>>>> /    rule//
>>>> //    {//
>>>> //      id "Sample Rule"//
>>>> //      for data//
>>>> //      filter//
>>>> //      {//
>>>> //        type name//
>>>> //        name /root/publisher//
>>>> //        relation is-prefix-of//
>>>> //      }//
>>>> //      checker//
>>>> //      {//
>>>> //        type hierarchical//
>>>> //        sig-type rsa-sha256//
>>>> //      }//
>>>> //    }//
>>>> //
>>>> //    trust-anchor//
>>>> //    {//
>>>> //      type file//
>>>> //      file-name "root.cert"//
>>>> //    }/
>>>>
>>>>
>>>> Now, when I launch the consumer, it issues an interest, gets the data,
>>>> issues another interest to get the key
>>>> (/root/publisher/KEY/4%05i%7E%3C%F6%87%2F/%FD%00%00%01_%25%8Bz%80), but
>>>> ends up with an error:
>>>>
>>>> /    Malformed certificate (Name does not follow the naming convention
>>>> for certificate). /
>>>>
>>>>
>>>> My question is now, is it how I'm supposed to do this? If yes, what's
>>>> the problem here? If not, is there any example tutorial, walking
>>>> through
>>>> the all steps of managing trust in NDN (ndnsec, app, validator)?
>>>>
>>>> Thanks in advance,
>>>>
>>>> Micha?
>>>>
>>>>
>>>
>>>
>>>
>>> -------------------------------------------------------------------------------
>>> This message was sent using EURECOM Webmail:
>>> http://webmail.eurecom.fr <http://webmail.eurecom.fr>
>>>
>>> _______________________________________________
>>> Ndn-interest mailing list
>>> Ndn-interest at lists.cs.ucla.edu <mailto:Ndn-interest at lists.cs.ucla.edu>
>>> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20171022/6427a7fe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20171022/6427a7fe/attachment-0001.sig>


More information about the Ndn-interest mailing list