[Nfd-dev] How to start a certificate chain from scratch

Xiaoke Jiang shock.jiang at gmail.com
Fri Mar 20 20:23:08 PDT 2015 

Hi Junxiao,
> On 20 Mar, 2015, at 8:05 pm, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
> Hi Jiewen
> 
> However, after completing these steps, I'm still unable to fetch certificate with ndn-tlv-peek.
I just tried ndn-tlv-peek /ndn/edu/ucla/NDNS/alice/TXT, and it works
the point is, do NOT add the version number in the interest name.


> It appears that ndns didn't register any routes in local NFD.
that is not true.
> ndns didn't create a log file in /var/log/ndn, so I can't see what's going on.
> 
there is a log configuration, /usr/local/etc/ndns/log4cxx.properties, and when you start ndns-daemon, log will be printed to console.
And you can also define you own log attributes to print it to file.

> Any idea on how to diagnose this problem?
> 
> Yours, Junxiao
> 
> On Fri, Mar 20, 2015 at 2:04 PM, Jiewen Tan <alanwake at ucla.edu <mailto:alanwake at ucla.edu>> wrote:
> Hi Junxiao,
> 
>  
> 
> 1)      All the operations you did are correct. Any modification to the NDNS database needs sudo privilege and All the certificates provided need to have the version number.
> 
> 2)      Actually, the current version of ndns-add-from-file is not capable to add a self-signed KSK to the NDNS database. It regards all the self-signed KSK as non-root certificate, and therefore it will resign the KSK using the zone’s DSK. Thank you for pointing out. I will add an option to add root certificate.
> 
>  
> 
> Regards,
> 
> Jiewen Tan
> 
>  
> 
> From: Junxiao Shi [mailto:shijunxiao at email.arizona.edu <mailto:shijunxiao at email.arizona.edu>] 
> Sent: Thursday, March 19, 2015 10:41 PM
> To: Jiewen Tan
> Cc: <nfd-dev at lists.cs.ucla.edu <mailto:nfd-dev at lists.cs.ucla.edu>>; Xiaoke Jiang
> 
> Subject: Re: [Nfd-dev] How to start a certificate chain from scratch
> 
>  
> 
> Hi Jiewen
> 
>  
> 
> I have tried these steps with ndns 0.0.2-ppa1~trusty.
> 
> My experiences and questions are below.
> 
>  
> 
> 1) create root zone
> 
> a. ndns-create-zone
> 
> -k parameter must be the full certificate Name including the version component after ID-CERT, otherwise it complains "Error: Cannot verify KSK certificate".
> sudo is needed, otherwise it complains "Error: INSERT INTO zones (name, ttl) VALUES (?, ?)", and operator's TPM is polluted with a useless DSK.
>  
> 
> 2) publish root certificate
> 
> a. ndns-export-certificate (appears to be equivalent to ndnsec-dump-certificate)
> 
> first parameter must be the full certificate Name including the version component after ID-CERT, otherwise it complains "Error: Certificate name is illegal".
> b. ndns-add-rr-from-file
> 
> sudo is needed, otherwise it complains "Error: FileStore: error opening file for reading: /home/sunny/.ndn/ndnsec-tpm-file/KaThtq7TuD1zToRgAXsZ+QMEUA0e6A8O6rwm3f0vBlU=.pri"
>  
> 
> 3) create site1 zone
> 
> a. ndns-create-zone
> 
> same as 1a, sudo is needed
>  
> 
> 4) delegate site1 zone from root zone
> 
> a. ndns-add-rr
> 
> sudo is needed, otherwise it complains "Error: FileStore: error opening file for reading: /home/sunny/.ndn/ndnsec-tpm-file/KaThtq7TuD1zToRgAXsZ+QMEUA0e6A8O6rwm3f0vBlU=.pri"
>  
> 
> 5) publish site1 certificate
> 
> a. ndns-export-certificate
> 
> same as 2a, first parameter must be the full certificate Name including the version component after ID-CERT; execute `ndnsec-list -c` to learn the full certificate Name.
> c. ndns-add-rr-from-file
> 
> same as 2b, sudo is needed
>  
> 
> 6) publish user1 certificate
> 
> a. ndns-add-rr-from-file
> 
> sudo is needed, otherwise it complains "Error: FileStore: error opening file for reading: /home/sunny/.ndn/ndnsec-tpm-file/stCLw6BWTYfAe8nHMIocqKD9I9+rAglUbI6dbR%2oNM=.pri"
>  
> 
>  
> 
> However, after completing these steps, I'm still unable to fetch certificate with ndn-tlv-peek.
> 
> It appears that ndns didn't register any routes in local NFD.
> 
> ndns didn't create a log file in /var/log/ndn, so I can't see what's going on.
> 
>  
> 
> Also, the root certificate doesn't seem correct.
> 
> sunny at sunnyq ~ $ ndns-list-zone /root
> 
> ; Zone /root
> 
>  
> 
> ; rrset=/site1 type=NS version=%FD%00%00%01L5%A2k%D0 signed-by=/root/KEY/dsk-1426828258078/ID-CERT
> 
> /site1                    3600  NS       
> 
>  
> 
> /dsk-1426828258078        3600  ID-CERT  ; content-type=NDNS-Raw version=%FD%00%00%01L5%97l%23 signed-by=/root/KEY/ksk-1426828193071/ID-CERT
> 
>  
> 
> /ksk-1426828193071        3600  ID-CERT  ; content-type=NDNS-Raw version=%FD%00%00%01L5%96n%83 signed-by=/root/KEY/dsk-1426828258078/ID-CERT
> 
>  
> 
> /site1/ksk-1426828890240  3600  ID-CERT  ; content-type=NDNS-Raw version=%FD%00%00%01L5%A1%12d signed-by=/root/KEY/dsk-1426828258078/ID-CERT
> 
> This says that the root KSK is signed by the root DSK. It's not the original self-signed KSK.
> 
>  
> 
> Yours, Junxiao
> 
>  
> 
> On Wed, Mar 11, 2015 at 12:48 PM, Jiewen Tan <alanwake at ucla.edu <mailto:alanwake at ucla.edu>> wrote:
> 
> Hi Junxiao,
> 
>  
> 
> Assuming the root key and root certificate are already presented in the system(PIB),
> 
> 1)      Create root zone: /example
> 
> a.       ndns-create-zone  /example -k /example/KEY/ksk-1/ID-CERT
> 
> Here is to create a zone named /example using a KSK store in the PIB. It will also generate a DSK signed by the KSK provided automatically and insert the DSK to NDNS database (publish). All other options are set to default.
> 
> 2)      Publish root certificate: /example/KEY/ksk-1/ID-CERT
> 
> a.       ndns-export-certificate /example/KEY/ksk-1/ID-CERT
> 
> Here is to export the root certificate to stdout. It can be exported to a file by using -f option as well.
> 
> b.      ndns-add-rr-from-file /example
> 
> Here is to insert the root certificate into NDNS database (publish under zone /example). Default is to use stdin as input. So you can just copy&paste the output from 2.a. It will terminate with Ctrl+D.
> 
> 3)      Create site1 zone: /example/site1
> 
> a.       ndns-create-zone  /example/site1
> 
> Here, the tool will automatically generate a self-signed KSK and a corresponding DSK. Moreover, the DSK will be published automatically.
> 
> 4)      Delegate site1 zone from root zone
> 
> a.       ndns-add-rr -t resp /example /site1 NS
> 
> Here is to add a rrset into zone: /example which has label: /site1 and type: /NS. Specifically, the content-type of the rrset is set to resp which indicate the existence of zone /example/site1. Now the delegation is completed. However, if the site zone is a leaf zone, a TXT type rrset is preferred.
> 
> 5)       Publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT  (Site1’s KSK needs to be published in its parent zone, i.e. root zone.)
> 
> a.       ndns-export-certificate /example/KEY/site1/ksk-2/ID-CERT -f site1.cert
> 
> Export the certificate from site1 zone.
> 
> b.      Pass the certificate to the parent zone, i.e. root zone here. (Use whatever methods you prefer)
> 
> c.       ndns-add-rr-from-file /example -f site1.cert
> 
> Here the tool will resign the certificate with the zone’s DSK such that an authentication chain can be established. After that, it will publish the certificate in the NDNS database with label set to /site1/ksk-2 and type set to ID-CERT.
> 
> 6)      Publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT (Assuming it is stored as user1.cert)
> 
> a.       ndns-add-rr-from-file /example/site1 -f user1.cert
> 
> Noticed again, this operation needs to be done in the parent zone, i.e. /example/site1.
> 
>  
> 
> In NDNS, publishing a certificate is essentially meaning to insert the certificate into NDNS database as an ID-CERT rrset. Therefore, I use these two terms interchangeably here.
> 
>  
> 
> Thank you for asking this question. I will try to make the answer as complete as possible and post this answer on the ndns-tr as appendix.
> 
>  
> 
> BTW, Xiaoke please make any supplement to my explanation if necessary.
> 
>  
> 
> Regards,
> 
> Jiewen Tan
> 
> From: Junxiao Shi [mailto:shijunxiao at email.arizona.edu <mailto:shijunxiao at email.arizona.edu>] 
> Sent: Wednesday, March 11, 2015 11:56 AM
> To: <nfd-dev at lists.cs.ucla.edu <mailto:nfd-dev at lists.cs.ucla.edu>>
> Cc: Xiaoke Jiang; Jiewen Tan
> Subject: Re: [Nfd-dev] How to start a certificate chain from scratch
> 
>  
> 
> Hi Xiaoke/Jiewen
> 
> (correcting a typo below)
> 
>  
> 
> Thanks for your examples. However, I need to start from scratch. Suppose:
> 
> ·  root/site/user certificates are created according to http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html>
> ·  Two machines have NDNS package installed. One is to host root zone, the other is to host site1 zone.
> 
> I need the commands to:
> 
> ·  create root zone: /example
> 
> ·  publish root certificate: /example/KEY/ksk-1/ID-CERT
> 
> ·  create site1 zone: /example/site1
> 
> ·  delegate site1 zone from root zone
> 
> ·  publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT (should this be published at root zone or site1 zone?)
> 
> ·  publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
> 
>  
> 
> Yours, Junxiao
> 
>  
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150320/c38a0ceb/attachment.html>

More information about the Nfd-dev mailing list