[Nfd-dev] How to start a certificate chain from scratch

Junxiao Shi shijunxiao at email.arizona.edu
Fri Mar 20 20:05:46 PDT 2015


Hi Jiewen

However, after completing these steps, I'm still unable to fetch
certificate with ndn-tlv-peek.
It appears that ndns didn't register any routes in local NFD.
ndns didn't create a log file in /var/log/ndn, so I can't see what's going
on.

Any idea on how to diagnose this problem?

Yours, Junxiao

On Fri, Mar 20, 2015 at 2:04 PM, Jiewen Tan <alanwake at ucla.edu> wrote:

> Hi Junxiao,
>
>
>
> 1)      All the operations you did are correct. Any modification to the
> NDNS database needs sudo privilege and All the certificates provided need
> to have the version number.
>
> 2)      Actually, the current version of ndns-add-from-file is not
> capable to add a self-signed KSK to the NDNS database. It regards all the
> self-signed KSK as non-root certificate, and therefore it will resign the
> KSK using the zone’s DSK. Thank you for pointing out. I will add an option
> to add root certificate.
>
>
>
> Regards,
>
> Jiewen Tan
>
>
>
> *From:* Junxiao Shi [mailto:shijunxiao at email.arizona.edu]
> *Sent:* Thursday, March 19, 2015 10:41 PM
> *To:* Jiewen Tan
> *Cc:* <nfd-dev at lists.cs.ucla.edu>; Xiaoke Jiang
> *Subject:* Re: [Nfd-dev] How to start a certificate chain from scratch
>
>
>
> Hi Jiewen
>
>
>
> I have tried these steps with ndns 0.0.2-ppa1~trusty.
>
> My experiences and questions are below.
>
>
>
> 1) create root zone
>
> a. ndns-create-zone
>
>    - -k parameter must be the full certificate Name including the version
>    component after ID-CERT, otherwise it complains "Error: Cannot verify KSK
>    certificate".
>    - sudo is needed, otherwise it complains "Error: INSERT INTO zones
>    (name, ttl) VALUES (?, ?)", and operator's TPM is polluted with a useless
>    DSK.
>
>
>
> 2) publish root certificate
>
> a. ndns-export-certificate (appears to be equivalent to
> ndnsec-dump-certificate)
>
>    - first parameter must be the full certificate Name including the
>    version component after ID-CERT, otherwise it complains "Error: Certificate
>    name is illegal".
>
> b. ndns-add-rr-from-file
>
>    - sudo is needed, otherwise it complains "Error: FileStore: error
>    opening file for reading:
>    /home/sunny/.ndn/ndnsec-tpm-file/KaThtq7TuD1zToRgAXsZ+QMEUA0e6A8O6rwm3f0vBlU=.pri"
>
>
>
> 3) create site1 zone
>
> a. ndns-create-zone
>
>    - same as 1a, sudo is needed
>
>
>
> 4) delegate site1 zone from root zone
>
> a. ndns-add-rr
>
>    - sudo is needed, otherwise it complains "Error: FileStore: error
>    opening file for reading:
>    /home/sunny/.ndn/ndnsec-tpm-file/KaThtq7TuD1zToRgAXsZ+QMEUA0e6A8O6rwm3f0vBlU=.pri"
>
>
>
> 5) publish site1 certificate
>
> a. ndns-export-certificate
>
>    - same as 2a, first parameter must be the full certificate Name
>    including the version component after ID-CERT; execute `ndnsec-list -c` to
>    learn the full certificate Name.
>
> c. ndns-add-rr-from-file
>
>    - same as 2b, sudo is needed
>
>
>
> 6) publish user1 certificate
>
> a. ndns-add-rr-from-file
>
>    - sudo is needed, otherwise it complains "Error: FileStore: error
>    opening file for reading:
>    /home/sunny/.ndn/ndnsec-tpm-file/stCLw6BWTYfAe8nHMIocqKD9I9+rAglUbI6dbR%2oNM=.pri"
>
>
>
>
>
> However, after completing these steps, I'm still unable to fetch
> certificate with ndn-tlv-peek.
>
> It appears that ndns didn't register any routes in local NFD.
>
> ndns didn't create a log file in /var/log/ndn, so I can't see what's going
> on.
>
>
>
> Also, the root certificate doesn't seem correct.
>
> sunny at sunnyq ~ $ ndns-list-zone /root
>
> ; Zone /root
>
>
>
> ; rrset=/site1 type=NS version=%FD%00%00%01L5%A2k%D0
> signed-by=/root/KEY/dsk-1426828258078/ID-CERT
>
> /site1                    3600  NS
>
>
>
> /dsk-1426828258078        3600  ID-CERT  ; content-type=NDNS-Raw
> version=%FD%00%00%01L5%97l%23 signed-by=/root/KEY/ksk-1426828193071/ID-CERT
>
>
>
> /ksk-1426828193071        3600  ID-CERT  ; content-type=NDNS-Raw
> version=%FD%00%00%01L5%96n%83 signed-by=/root/KEY/dsk-1426828258078/ID-CERT
>
>
>
> /site1/ksk-1426828890240  3600  ID-CERT  ; content-type=NDNS-Raw
> version=%FD%00%00%01L5%A1%12d signed-by=/root/KEY/dsk-1426828258078/ID-CERT
>
> This says that the root KSK is signed by the root DSK. It's not the
> original self-signed KSK.
>
>
>
> Yours, Junxiao
>
>
>
> On Wed, Mar 11, 2015 at 12:48 PM, Jiewen Tan <alanwake at ucla.edu> wrote:
>
> Hi Junxiao,
>
>
>
> Assuming the root key and root certificate are already presented in the
> system(PIB),
>
> 1)      Create root zone: /example
>
> a.       ndns-create-zone  /example -k /example/KEY/ksk-1/ID-CERT
>
> Here is to create a zone named /example using a KSK store in the PIB. It
> will also generate a DSK signed by the KSK provided automatically and
> insert the DSK to NDNS database (publish). All other options are set to
> default.
>
> 2)      Publish root certificate: /example/KEY/ksk-1/ID-CERT
>
> a.       ndns-export-certificate /example/KEY/ksk-1/ID-CERT
>
> Here is to export the root certificate to stdout. It can be exported to a
> file by using -f option as well.
>
> b.      ndns-add-rr-from-file /example
>
> Here is to insert the root certificate into NDNS database (publish under
> zone /example). Default is to use stdin as input. So you can just
> copy&paste the output from 2.a. It will terminate with Ctrl+D.
>
> 3)      Create site1 zone: /example/site1
>
> a.       ndns-create-zone  /example/site1
>
> Here, the tool will automatically generate a self-signed KSK and a
> corresponding DSK. Moreover, the DSK will be published automatically.
>
> 4)      Delegate site1 zone from root zone
>
> a.       ndns-add-rr -t resp /example /site1 NS
>
> Here is to add a rrset into zone: /example which has label: /site1 and
> type: /NS. Specifically, the content-type of the rrset is set to resp which
> indicate the existence of zone /example/site1. Now the delegation is
> completed. However, if the site zone is a leaf zone, a TXT type rrset is
> preferred.
>
> 5)       Publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT
>  (Site1’s KSK needs to be published in its parent zone, i.e. root zone.)
>
> a.       ndns-export-certificate /example/KEY/site1/ksk-2/ID-CERT -f
> site1.cert
>
> Export the certificate from site1 zone.
>
> b.      Pass the certificate to the parent zone, i.e. root zone here.
> (Use whatever methods you prefer)
>
> c.       ndns-add-rr-from-file /example -f site1.cert
>
> Here the tool will resign the certificate with the zone’s DSK such that an
> authentication chain can be established. After that, it will publish the
> certificate in the NDNS database with label set to /site1/ksk-2 and type
> set to ID-CERT.
>
> 6)      Publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
> (Assuming it is stored as user1.cert)
>
> a.       ndns-add-rr-from-file /example/site1 -f user1.cert
>
> Noticed again, this operation needs to be done in the parent zone, i.e.
> /example/site1.
>
>
>
> In NDNS, publishing a certificate is essentially meaning to insert the
> certificate into NDNS database as an ID-CERT rrset. Therefore, I use these
> two terms interchangeably here.
>
>
>
> Thank you for asking this question. I will try to make the answer as
> complete as possible and post this answer on the ndns-tr as appendix.
>
>
>
> BTW, Xiaoke please make any supplement to my explanation if necessary.
>
>
>
> Regards,
>
> Jiewen Tan
>
> *From:* Junxiao Shi [mailto:shijunxiao at email.arizona.edu]
> *Sent:* Wednesday, March 11, 2015 11:56 AM
> *To:* <nfd-dev at lists.cs.ucla.edu>
> *Cc:* Xiaoke Jiang; Jiewen Tan
> *Subject:* Re: [Nfd-dev] How to start a certificate chain from scratch
>
>
>
> Hi Xiaoke/Jiewen
>
> (correcting a typo below)
>
>
>
> Thanks for your examples. However, I need to start from scratch. Suppose:
>
> ·  root/site/user certificates are created according to
> http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html
>
> ·  Two machines have NDNS package installed. One is to host root zone,
> the other is to host site1 zone.
>
> I need the commands to:
>
> ·  create root zone: /example
>
> ·  publish root certificate: /example/KEY/ksk-1/ID-CERT
>
> ·  create site1 zone: /example/site1
>
> ·  delegate site1 zone from root zone
>
> ·  publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT (should
> this be published at root zone or site1 zone?)
>
> ·  publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
>
>
>
> Yours, Junxiao
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150320/255dbac0/attachment.html>


More information about the Nfd-dev mailing list