[Ndn-interest] a question on validating pure sha256 in ndn-cxx validator

Justin Park = 세형 justin.labry at gmail.com
Tue Mar 9 23:59:28 PST 2021 

Hi all,


I made a patch for digest-sha256 verification and submitted it through
gerrit.named-data.net.

However, I have some follow-up questions.


According to NDN Specification, "SignatureHmacWithSha256" is also assigned
as one of SignatureTypes.

But I think in order for the Validator to verify Hmac packets, the module
needs to add the secret key as a parameter to perform Hmac validation.

Could you tell me the status and plans for Hmac validation?


Best,


Justin

On Mon, Mar 8, 2021 at 5:59 PM Justin Park = 세형 <justin.labry at gmail.com>
wrote:

> Thank you Junxiao for the crystal clear explanation.
> Alex, I tried the latest version (master) of ndn-cxx and nfd, but the
> result was exactly the same.
> I'll try to look into the source code and see what I can do about the
> sha256 patch.
>
> Justin
>
> On Mon, Mar 8, 2021 at 12:23 PM Alex Afanasyev <aa at cs.fiu.edu> wrote:
>
>> Hi Justin,
>>
>> Thanks for debugging.  Using validator for sha256 (not really a valid
>> signature) may not make too much sense, but we did some fixing in the
>> checker that should get a bit farther (it was actually in the currently the
>> last commit of the master branch).   You may want to re-check with the
>> latest commit and see if it fixes your problem, if not, hope you can make
>> and submit a patch.
>>
>> -
>> Alex
>>
>> On Mar 7, 2021, at 9:06 PM, Justin Park = 세형 via Ndn-interest <
>> ndn-interest at lists.cs.ucla.edu> wrote:
>>
>> Hi all,
>>
>> Last Friday, I was working with NDN-CXX (0.7.0) for
>> rsa-sha256, ecdsa-sha256, and sha256 validation.
>> The first two (rsa-sha256, ecdsa-256) had no trouble, but I had some
>> issues with sha256.
>> Of course, I followed the instruction below:
>>
>> https://named-data.net/doc/ndn-cxx/current/tutorials/security-validator-config.html
>>
>>   checker
>>   {
>>     type customized
>>     sig-type sha256
>>     key-locator
>>     {
>>       type name
>>       name /localhost/identity/digest-sha256
>>       relation equal
>>     }
>>   }
>>
>> However, when I tried something with sig-type sha256, I got “Internal
>> implementation error.”
>>
>> %9Bhq%A82%5B%AF%22%A7G%5E%B7%16%7C%1F8%93%AC?Nonce=f0547aea from forwarder
>>
>> 1615167042.071117 DEBUG: [ndn.Face] <I /data/4?MustBeFresh&Nonce=8f696b08
>>
>> 1615167042.071596 DEBUG: [ndn.Face] >D /data/4
>>
>> 1615167042.071643 DEBUG: [ndn.Face]    satisfying
>> /data/4?MustBeFresh&Nonce=8f696b08 from app
>> 1615167042.071655 DEBUG: [ndn.security.Validator] > Start validating data
>> /data/4
>> 1615167042.071660 TRACE: [ndn.security.validator_config.Rule] Trying to
>> match /data/4
>> 1615167042.071675 TRACE: [ndn.security.validator_config.Rule] Trying to
>> check /data/4 with keyLocator /localhost/id│
>> entity/digest-sha256
>>
>> 1615167042.073762 DEBUG: [ndn.security.ValidationState] > Internal
>> implementation error (Validator/policy did not invoke success or failure
>> callback)
>>
>> To find the cause of errors, I followed the ndn-cxx source code from
>> Validator::validate, to ValidationPolicyConfig::checkPolicy
>> to getKeyLocatorName, to Checker::check, to extractIdentityFromKeyName.
>> And I tentatively concluded that ndn-cxx doesn’t have the facility to
>> validate pure “sha256” in the same manner as rsa-sha256 and ecdsa-sha256.
>>
>> I also checked out ndn-cxx have verifyDigest in verification-helper.cpp,
>> but verfiyDigest is only referenced in unit test codes.
>>
>> My question is whether my speculation is rightand I also want to know the
>> status and future plans regarding sha256 verification in Validator.
>>
>> Thank you,
>>
>> Justin
>>
>>
>> ===================================
>> const Name&
>> SigningInfo::getDigestSha256Identity()
>> {
>>   static Name digestSha256Identity("/localhost/identity/digest-sha256");
>>   return digestSha256Identity;
>> }
>>
>> ===================================
>> Name
>> extractIdentityFromKeyName(const Name& keyName)
>> {
>>   if (!isValidKeyName(keyName)) {
>>     NDN_THROW(std::invalid_argument("Key name `" + keyName.toUri() + "` "
>>                                     "does not respect the naming
>> conventions"));
>>   }
>>
>>   return keyName.getPrefix(-Certificate::MIN_KEY_NAME_LENGTH); // trim
>> everything after and including "KEY"
>> }
>> _______________________________________________
>> Ndn-interest mailing list
>> Ndn-interest at lists.cs.ucla.edu
>> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>>
>>
>> ______________
>> Alex Afanasyev
>> Assistant Professor, SCIS, Florida International University
>> 11200 SW 8th Street, PG6 Room 140D, Miami, FL 33199
>> phone: +1.305.348.4960 (office); email: aa at cs.fiu.edu <aa at cs.fiu.edu>
>> web: https://users.cs.fiu.edu/~afanasyev/
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20210310/0def26eb/attachment-0001.html>

More information about the Ndn-interest mailing list