[Ndn-interest] Complete trust management from scratch in ndn-cxx
Michał Król
m.krol at ucl.ac.uk
Sun Oct 22 06:28:45 PDT 2017
I looked a bit deeper in the code and I found the reason of the problem.
ndn-cxx is expecting "KEY" as the second component in the certificate
name. However, my certificate name is:
"/root/publisher/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_D8%F1%A4", so "KEY"
is the third component.
When I changed the code to put "/root/" in the Interest instead of
"/root/site1" it solved the problem and the signature is verified
correctly. In future experiments I would like to implement a hierarchy
of trust. Do you know what is the problem here?
Best,
Michał
On 17/10/17 10:49, Michał Król wrote:
>
> Hi Matteo,
>
> thanks for your message. It's just a formatting problem. For some
> reason my mail client decide to replace tabs with "/" and "?". There
> are not present in the files though.
>
> I've seen your tutorial before. Actually, it was the only complete
> solution it could find online, so I was basing heavily on it. Thank
> you. My setup seems only slightly different, but I still can't make it
> work.
>
> Best,
>
> Michał
>
>
>
>>
>>
>>> Begin forwarded message:
>>>
>>> *From: *Matteo Bertolino <Matteo.Bertolino at eurecom.fr
>>> <mailto:Matteo.Bertolino at eurecom.fr>>
>>> *Subject: **Re: [Ndn-interest] Complete trust management from
>>> scratch in ndn-cxx*
>>> *Date: *16 October 2017 19:49:16 BST
>>> *To: *<ndn-interest at lists.cs.ucla.edu
>>> <mailto:ndn-interest at lists.cs.ucla.edu>>
>>>
>>> Hello,
>>> why do you have the "//" in each line of the validator?
>>> I am by phone so I cannot provide you easily a good answer, but you
>>> can find a completed and commented use case here:
>>> https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf
>>>
>>> Section 3. Write me if u need some clarifications.
>>> Matteo
>>>
>>>
>>> Quoting Micha? Król <m.krol at ucl.ac.uk <mailto:m.krol at ucl.ac.uk>>:
>>>
>>>> Dear all,
>>>>
>>>> I'm struggling with setting up a simple trust/security system in NDN. I
>>>> find it difficult to find an updated set information that will work for
>>>> all system components. Please correct me if I misunderstood something.
>>>>
>>>> I have a very simple scenario: one producer and one consumer on one
>>>> machine. I want to have a central entity (root) and a publisher
>>>> (publisher) that will be allowed to publish trusted content.
>>>>
>>>> I first create the root certificate using ndnsec and selfsign it: /
>>>> /
>>>>
>>>> / ndnsec-key-gen -n /root//
>>>> /
>>>>
>>>> / ndnsec-sign-req /root > root.cert/
>>>>
>>>> Next I create a certificate for the publisher and sign it using the
>>>> root
>>>> certificate:
>>>>
>>>> / ndnsec-key-gen -n /root/publisher > unsigned_publisher.cert//
>>>> // ndnsec-cert-gen -S 201510080000 -E 202010080000 -s /root -i
>>>> /root/publisher -r unsigned_publisher.cert > publisher.cert/
>>>>
>>>>
>>>> I then used the publisher identity to sign the data:
>>>>
>>>> / m_ident = m_keyChain.createIdentity(Name("/root/publisher"));//
>>>> // m_info = ndn::security::SigningInfo(m_ident);/
>>>>
>>>> / m_keyChain.sign(*data, m_info);/
>>>>
>>>> On the consumer side I use a validator to validate data:
>>>>
>>>> / m_validator->load("sample.cfg");/
>>>>
>>>> / m_validator->validate (data,//
>>>> // ndn::bind(&Consumer::onValidated, this, _1),//
>>>> // ndn::bind(&Consumer::onValidationFailed, this, _1, _2));/
>>>>
>>>>
>>>> I want to trust everything signed with the publishers key. The
>>>> sample.cfg is:
>>>>
>>>> / rule//
>>>> // {//
>>>> // id "Sample Rule"//
>>>> // for data//
>>>> // filter//
>>>> // {//
>>>> // type name//
>>>> // name /root/publisher//
>>>> // relation is-prefix-of//
>>>> // }//
>>>> // checker//
>>>> // {//
>>>> // type hierarchical//
>>>> // sig-type rsa-sha256//
>>>> // }//
>>>> // }//
>>>> //
>>>> // trust-anchor//
>>>> // {//
>>>> // type file//
>>>> // file-name "root.cert"//
>>>> // }/
>>>>
>>>>
>>>> Now, when I launch the consumer, it issues an interest, gets the data,
>>>> issues another interest to get the key
>>>> (/root/publisher/KEY/4%05i%7E%3C%F6%87%2F/%FD%00%00%01_%25%8Bz%80), but
>>>> ends up with an error:
>>>>
>>>> / Malformed certificate (Name does not follow the naming convention
>>>> for certificate). /
>>>>
>>>>
>>>> My question is now, is it how I'm supposed to do this? If yes, what's
>>>> the problem here? If not, is there any example tutorial, walking
>>>> through
>>>> the all steps of managing trust in NDN (ndnsec, app, validator)?
>>>>
>>>> Thanks in advance,
>>>>
>>>> Micha?
>>>>
>>>>
>>>
>>>
>>>
>>> -------------------------------------------------------------------------------
>>> This message was sent using EURECOM Webmail:
>>> http://webmail.eurecom.fr <http://webmail.eurecom.fr>
>>>
>>> _______________________________________________
>>> Ndn-interest mailing list
>>> Ndn-interest at lists.cs.ucla.edu <mailto:Ndn-interest at lists.cs.ucla.edu>
>>> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20171022/6427a7fe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20171022/6427a7fe/attachment-0001.sig>
More information about the Ndn-interest
mailing list