blob: 044161d0773dd461bf9a0aebc1c664b438f122e3 [file] [log] [blame]
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07001Validator Configuration File Format
2===================================
3
Yingdi Yu4e99f532014-08-25 19:40:57 -07004.. contents::
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07005
Yingdi Yu4e99f532014-08-25 19:40:57 -07006You can set up a ``Validator`` via a configuration file. Next, we will show you how to
7write a configuration file.
8
9The configuration file consists of **rules** and **trust-anchors** that will be used in
10validation. **Rules** tell the validator how to validate a packet, while **trust-anchors**
11tell the validator which certificates are valid immediately. Here is an example of
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080012configuration file containing two rules and a trust anchor.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070013
14::
15
16 rule
17 {
18 id "Simple Rule"
19 for data
20 filter
21 {
22 type name
23 name /localhost/example
24 relation is-prefix-of
25 }
26 checker
27 {
28 type customized
29 sig-type rsa-sha256
30 key-locator
31 {
32 type name
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080033 name /ndn/edu/ucla/yingdi/KEY/ksk-1234
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070034 relation equal
35 }
36 }
37 }
38 rule
39 {
40 id "Testbed Validation Rule"
41 for data
42 checker
43 {
44 type hierarchical
45 sig-type rsa-sha256
46 }
47 }
48 trust-anchor
49 {
50 type file
51 file-name "testbed-trust-anchor.cert"
52 }
53
Yingdi Yu4e99f532014-08-25 19:40:57 -070054.. note::
55 **ATTENTION: The order of rules MATTERS!**
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070056
57A rule can be broken into two parts:
58
59- The first part is to qualify packets to which the rule can be
60 applied;
61- The second part is to check whether further validation process is
62 necessary.
63
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080064When a packet is presented for validation, the validator will check the rules one-by-one
65in the configuration file using **for** and **filter** conditions against the packet,
66until finding a rule for which the packet qualifies. After that, the **checker**
67conditions of the matched rule will be used to check the validity of the packet. If the
68packet does not match any rules, it is treated as an invalid packet. Once a packet has
69been matched by a rule, the remaining rules are not applied to the packet (i.e., the
70matched rule "captures" the packet). Therefore, you should always put the most specific
71rule first.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070072
Yingdi Yu4e99f532014-08-25 19:40:57 -070073In the example configuration, the first rule indicates that all the data packets under the
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080074name prefix ``/localhost/example`` must be signed by a certificate whose name (the key
75part) is ``/ndn/edu/ucla/yingdi/KEY/ksk-1234``. If a packet does not have a name under
76prefix ``/localhost/example``, the validator will skip the first rule and apply the second
77rule. The second rule indicates that all other data packets must be validated using the
78hierarchical policy (data name should be prefix or equal to the identity part of the
79certificate name). The example configuration defines that all certificate chains must be
80rooted in the certificate defined in the file "testbed-trust-anchor.cert".
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070081
82Rules in general
83----------------
84
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080085A rule has four properties: **id**, **for**, **filter**, and **checker**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070086
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080087The **id** property uniquely identifies the rule in the configuration file. As long as
Yingdi Yu4e99f532014-08-25 19:40:57 -070088being unique, any name can be given to a rule, e.g., "Simple Rule", "Testbed Validation
89Rule". A rule must have one and only one **id** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070090
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080091A rule is either used to validate a data packet or an interest packet. This information
92is specified in the **for** property, which can be either **data** or **interest**. A
93rule must have exactly one **for** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070094
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080095The **filter** property further constrains the packets that can be checked by the
96rule. The filter property is not required in a rule; if omitted, the rule will capture all
97packets passed to it. A rule may contain multiple filters, in this case, a packet
98is captured by the rule only if all filters are satisfied.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070099
Yingdi Yu4e99f532014-08-25 19:40:57 -0700100.. note::
101 **ATTENTION: A packet that satisfies all the filters may not be valid**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700102
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800103The **checker** property defines the conditions that a matched packet must fulfill to be
Zhiyi Zhang044bb7e2016-06-10 00:02:37 -0700104treated as a valid packet. A rule must have at least one **checker** property. A packet is
105treated as valid if it can pass at least one of the checkers and as invalid when it cannot
106pass any checkers.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700107
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700108Filter Property
109---------------
110
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800111Filter has a **type** property and type-specific properties. Although a rule can contain
112more than one filters, there can be at most one filter of each type.
113
114Currently, only the packet name filter is defined.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700115
116Name Filter
117~~~~~~~~~~~
118
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800119There are two ways to express the conditions on packet name:
120
121- relationship between the packet name and the specified name
122- :doc:`NDN regular expression <utils-ndn-regex>` match.
123
124Name and Relation
125^^^^^^^^^^^^^^^^^
126
127In the first case, two more properties are required: **name** and **relation**. A packet
128can fulfill the condition if the **name** has a **relation** to the packet's name. Three
129types of **relation** has been defined: **equal**, **is-prefix-of**,
130**is-strict-prefix-of**. For example, the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700131
132::
133
134 filter
135 {
136 type name
137 name /localhost/example
138 relation equal
139 }
140
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800141will capture only a packet with the exact name ``/localhost/example``.
142
143The filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700144
145::
146
147 filter
148 {
149 type name
150 name /localhost/example
151 relation is-prefix-of
152 }
153
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800154will capture a packet with name ``/localhost/example`` or ``/localhost/example/data``, but
155will not capture a packet with name ``/localhost/another_example``. And the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700156
157::
158
159 filter
160 {
161 type name
162 name /localhost/example
163 relation is-strict-prefix-of
164 }
165
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800166will capture a packet with name ``/localhost/example/data``, but will not capture a packet
Yingdi Yu4e99f532014-08-25 19:40:57 -0700167with name ``/localhost/example``.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700168
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800169NDN Regular Expression Match
170^^^^^^^^^^^^^^^^^^^^^^^^^^^^
171
Yingdi Yu4e99f532014-08-25 19:40:57 -0700172The second way is to specify an :doc:`utils-ndn-regex` that can match the packet. In this
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800173case, only one property **regex** is required. For example, the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700174
175::
176
177 filter
178 {
179 type name
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800180 regex ^<>*<KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700181 }
182
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800183will capture all certificates.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700184
185Checker Property
186----------------
187
Yingdi Yu4e99f532014-08-25 19:40:57 -0700188Passing all the filters in a rule only indicates that a packet can be checked using the
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800189rule, and it does not necessarily imply that the packet is valid. The validity of a
Yingdi Yu4e99f532014-08-25 19:40:57 -0700190packet is determined by the property **checker**, which defines the conditions that a
191valid packet must fulfill.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700192
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800193Same as **filter**, **checker** has a property **type**. We have defined two types of
194checkers:
195
196- **customized** is a checker that allows customization of the conditions according to specific
197 requirements;
198
199- **hierarchical** is a checker with pre-defined hierarchical trust model.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700200
201Customized Checker
202~~~~~~~~~~~~~~~~~~
203
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800204The customized checker requires two properties: **sig-type**, **key-locator**. Both must
205appear exactly once and are related to the ``SignatureInfo`` of a packet.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700206
207::
208
209 checker
210 {
211 type customized
212 sig-type ...
213 key-locator
214 {
215 ...
216 }
217 }
218
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800219The property **sig-type** specifies the acceptable signature type and can be
220**rsa-sha256**, **ecdsa-sha256** (strong signature types), or **sha256** (weak signature
221type). If sig-type is sha256, **key-locator** is ignored, and the validator will simply
222calculate the digest of a packet and compare it with the one in ``SignatureValue``. If
223sig-type is rsa-sha256 or ecdsa-sha256, you have to further customize the checker with
224**key-locator**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700225
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800226The property **key-locator** specifies the conditions on ``KeyLocator``. If the
Yingdi Yu4e99f532014-08-25 19:40:57 -0700227**key-locator** property is specified, it requires the existence of the ``KeyLocator``
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800228field in ``SignatureInfo``. **key-locator** property only supports one type: **name**:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700229
230::
231
232 key-locator
233 {
234 type name
235 ...
236 }
237
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800238This key-locator property specifies the conditions on the certificate name of the signing
239key. Since the conditions are about name, they can be specified in the same way as the
240name filter. For example, a checker can be:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700241
242::
243
244 checker
245 {
246 type customized
247 sig-type rsa-sha256
248 key-locator
249 {
250 type name
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800251 name /ndn/edu/ucla/yingdi/KEY/ksk-1234
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700252 relation equal
253 }
254 }
255
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800256This checker property requires that the packet must have a ``rsa-sha256`` signature that
257can be verified with ``/ndn/edu/ucla/yingdi/KEY/ksk-1234`` key.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700258
Yingdi Yu4e99f532014-08-25 19:40:57 -0700259Besides the two ways to express conditions on the ``KeyLocator`` name (name and regex),
260you can further constrain the ``KeyLocator`` name using the information extracted from the
261packet name. This third type of condition is expressed via a property
262**hyper-relation**. The **hyper-relation** property consists of three parts:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700263
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800264- an NDN regular expression that extracts information from the packet name
265- an NDN regular expression that extracts information from the ``KeyLocator`` name
266- relation from the part extracted from the ``KeyLocator`` name to the one extracted from
267 the packet name
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700268
269For example, a checker:
270
271::
272
273 checker
274 {
275 type customized
276 sig-type rsa-sha256
277 key-locator
278 {
279 type name
280 hyper-relation
281 {
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800282 k-regex ^(<>*)<KEY><>$
283 k-expand \\1
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700284 h-relation is-prefix-of
285 p-regex ^(<>*)$
286 p-expand \\1
287
288 }
289 }
290 }
291
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800292requires the packet name must be under the corresponding namespace (identity part) of the
293``KeyLocator`` name.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700294
295Hierarchical Checker
296~~~~~~~~~~~~~~~~~~~~
297
Yingdi Yu4e99f532014-08-25 19:40:57 -0700298As implied by its name, hierarchical checker requires that the packet name must be under
299the namespace of the packet signer. A hierarchical checker:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700300
301::
302
303 checker
304 {
305 type hierarchical
306 sig-type rsa-sha256
307 }
308
309is equivalent to a customized checker:
310
311::
312
313 checker
314 {
315 type customized
316 sig-type rsa-sha256
317 key-locator
318 {
319 type name
320 hyper-relation
321 {
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800322 k-regex ^(<>*)<KEY><>$
323 k-expand \\1
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700324 h-relation is-prefix-of
325 p-regex ^(<>*)$
326 p-expand \\1
327 }
328 }
329 }
330
Alexander Afanasyevd36dd552014-06-30 12:42:46 -0700331.. _validator-conf-trust-anchors:
332
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700333Trust Anchors
334-------------
335
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800336**trust-anchor** is a necessary option in order to properly validate packets. A
337configuration file may contain more than one trust anchors and the order of trust anchors
338does not matter. The structure of trust-anchor is as follows:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700339
340::
341
342 trust-anchor
343 {
344 type file
345 file-name "trusted-signer.cert"
346 }
347 trust-anchor
348 {
349 type base64
350 base64-string "Bv0DGwdG...amHFvHIMDw=="
351 }
352
Yingdi Yu4e99f532014-08-25 19:40:57 -0700353You may also specify a trust-anchor directory. All certificates under this directory are
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800354taken as static trust anchors. For example, if all trust anchors are put into
Yingdi Yu4e99f532014-08-25 19:40:57 -0700355``/usr/local/etc/ndn/keys``.
Yingdi Yub4650652014-04-17 10:19:59 -0700356
357::
358
359 trust-anchor
360 {
361 type dir
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800362 dir /usr/local/etc/ndn/keys
Yingdi Yub4650652014-04-17 10:19:59 -0700363 }
364
Yingdi Yu4e99f532014-08-25 19:40:57 -0700365If certificates under the directory might be changed during runtime, you can set a refresh
366period, such as
Yingdi Yub4650652014-04-17 10:19:59 -0700367
368::
369
370 trust-anchor
371 {
372 type dir
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800373 dir /usr/local/etc/ndn/keys
Yingdi Yub4650652014-04-17 10:19:59 -0700374 refresh 1h ; refresh certificates every hour, other units include m (for minutes) and s (for seconds)
375 }
376
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800377There is also a special trust anchor **any**. As long as such a trust-anchor is defined
Yingdi Yu4e99f532014-08-25 19:40:57 -0700378in config file, packet validation will be turned off.
Yingdi Yu44d190c2014-04-16 17:05:46 -0700379
Yingdi Yu4e99f532014-08-25 19:40:57 -0700380.. note::
381 **ATTENTION: This type of trust anchor is dangerous. You should used it only when you
382 want to disable packet validation temporarily (e.g, debugging code, building a demo).**
Yingdi Yu44d190c2014-04-16 17:05:46 -0700383
384::
385
386 trust-anchor
387 {
388 type any
389 }
390
Yingdi Yub4650652014-04-17 10:19:59 -0700391
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700392Example Configuration For NLSR
393------------------------------
394
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800395.. note::
396 **These example assumes the v1 certificate naming convention that is no longer in
397 use. The example will be updated later.**
398
Yingdi Yu4e99f532014-08-25 19:40:57 -0700399The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700400
401::
402
403 root
404 |
405 +--------------+---------------+
406 site1 site2
407 | |
408 +---------+---------+ +
409 operator1 operator2 operator3
410 | | |
411 +-----+-----+ +----+-----+ +-----+-----+--------+
412 router1 router2 router3 router4 router5 router6 router7
413 | | | | | | |
414 + + + + + + +
415 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
416
417However, entities name may not follow the signing hierarchy, for
418example:
419
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700420+------------+-------------------------------------------------------------------------------------+
421| Entity | Identity name and examples |
422+============+=====================================================================================+
423| root | ``/<network>`` |
424| | |
425| | Identity example: ``/ndn`` |
426| | |
427| | Certificate name example: ``/ndn/KEY/ksk-1/ID-CERT/%01`` |
428+------------+-------------------------------------------------------------------------------------+
429| site | ``/<network>/<site>`` |
430| | |
431| | Identity example: ``/ndn/edu/ucla`` |
432| | |
433| | Certificate name example: ``/ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01`` |
434+------------+-------------------------------------------------------------------------------------+
435| operator | ``/<network>/<site>/%C1.O.N./<operator-id>`` |
436| | |
437| | Identity example: ``/ndn/edu/ucla/%C1.O.N./op1`` |
438| | |
439| | Certificate name example: ``/ndn/edu/ucla/%C1.O.N./op1/KEY/ksk-3/ID-CERT/%01`` |
440+------------+-------------------------------------------------------------------------------------+
441| router | ``/<network>/<site>/%C1.O.R./<router-id>`` |
442| | |
443| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1`` |
444| | |
445| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/KEY/ksk-4/ID-CERT/%01`` |
446+------------+-------------------------------------------------------------------------------------+
447| NLSR | ``/<network>/<site>/%C1.O.R./<router-id>/NLSR`` |
448| | |
449| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR`` |
450| | |
451| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/KEY/ksk-5/ID-CERT/%01`` |
452+------------+-------------------------------------------------------------------------------------+
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700453
454Assume that a typical NLSR data name is
Yingdi Yu4e99f532014-08-25 19:40:57 -0700455``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/LSA/LSType.1/%01``. Then, the exception of naming
456hierarchy is "operator-router". So we can write a configuration file with three rules. The
457first one is a customized rule that capture the normal NLSR data. The second one is a
458customized rule that handles the exception case of the hierarchy (operator->router). And
459the last one is a hierarchical rule that handles the normal cases of the hierarchy.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700460
Yingdi Yu4e99f532014-08-25 19:40:57 -0700461We put the NLSR data rule to the first place, because NLSR data packets are the most
462frequently checked. The hierarchical exception rule is put to the second, because it is
463more specific than the last one.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700464
465And here is the configuration file:
466
467::
468
469 rule
470 {
471 id "NSLR LSA Rule"
472 for data
473 filter
474 {
475 type name
476 regex ^[^<NLSR><LSA>]*<NLSR><LSA>
477 }
478 checker
479 {
480 type customized
481 sig-type rsa-sha256
482 key-locator
483 {
484 type name
485 hyper-relation
486 {
487 k-regex ^([^<KEY>]*)<KEY><ksk-.*><ID-CERT>$
488 k-expand \\1
489 h-relation equal
490 p-regex ^([^<NLSR><LSA>]*)<NLSR><LSA><LSType\.\d><>$
491 p-expand \\1
492 }
493 }
494 }
495 }
496 rule
497 {
498 id "NSLR Hierarchy Exception Rule"
499 for data
500 filter
501 {
502 type name
503 regex ^[^<KEY><%C1.O.R.>]*<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
504 }
505 checker
506 {
507 type customized
508 sig-type rsa-sha256
509 key-locator
510 {
511 type name
512 hyper-relation
513 {
514 k-regex ^([^<KEY><%C1.O.N.>]*)<%C1.O.N.><><KEY><ksk-.*><ID-CERT>$
515 k-expand \\1
516 h-relation equal
517 p-regex ^([^<KEY><%C1.O.R.>]*)<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
518 p-expand \\1
519 }
520 }
521 }
522 }
523 rule
524 {
525 id "NSLR Hierarchical Rule"
526 for data
527 filter
528 {
529 type name
530 regex ^[^<KEY>]*<KEY><ksk-.*><ID-CERT><>$
531 }
532 checker
533 {
534 type hierarchical
535 sig-type rsa-sha256
536 }
537 }
538 trust-anchor
539 {
540 type file
541 file-name "testbed-trust-anchor.cert"
542 }
543
Yingdi Yu4e99f532014-08-25 19:40:57 -0700544Example Configuration For NFD RIB Management
545--------------------------------------------
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700546
Davide Pesavento0530b5b2016-11-07 03:23:58 +0100547Assume `NFD RIB Management <https://redmine.named-data.net/projects/nfd/wiki/RibMgmt>`_
Yingdi Yu4e99f532014-08-25 19:40:57 -0700548allows any valid testbed certificate to register prefix, the configuration file could be
549written as:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700550
551::
552
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800553 rule
554 {
555 id "RIB Prefix Registration Command Rule"
556 for interest ; rule for Interests (to validate CommandInterests)
557 filter
558 {
559 type name ; condition on interest name (w/o signature)
560 regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<><><>$ ; prefix before
561 ; SigInfo & SigValue
562 }
563 checker
564 {
565 type customized
566 sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
567 key-locator
568 {
569 type name ; key locator must be the certificate name of the
570 ; signing key
571 regex ^<>*<KEY><><><>$
572 }
573 }
574 checker
575 {
576 type customized
577 sig-type ecdsa-sha256 ; interest must have a ecdsa-sha256 signature
578 key-locator
579 {
580 type name ; key locator must be the certificate name of the
581 ; signing key
582 regex ^<>*<KEY><><><>$
583 }
584 }
585 }
586 rule
587 {
588 id "NDN Testbed Hierarchy Rule"
589 for data ; rule for Data (to validate NDN certificates)
590 filter
591 {
592 type name ; condition on data name
593 regex ^<>*<KEY><><><>$
594 }
595 checker
596 {
597 type hierarchical ; the certificate name of the signing key and
598 ; the data name must follow the hierarchical model
599 sig-type rsa-sha256 ; data must have a rsa-sha256 signature
600 }
601 checker
602 {
603 type hierarchical ; the certificate name of the signing key and
604 ; the data name must follow the hierarchical model
605 sig-type ecdsa-sha256 ; data must have a ecdsa-sha256 signature
606 }
607 }
608 trust-anchor
609 {
610 type file
611 file-name keys/ndn-testbed-root.ndncert.base64
612 }