security: introduce new syntax in cross schema

Author: tianyuan129

docs/cross-schema.md

@@ -11,6 +11,7 @@ CrossSchema = CROSS-SCHEMA-TYPE TLV-LENGTH Data
 ; Content of the Data in the CrossSchema field
 CrossSchemaContent = *SimpleSchemaRule
                      *PrefixSchemaRule
+                     *ComponentSchemaRule
 
 SimpleSchemaRule = SIMPLE-SCHEMA-RULE-TYPE TLV-LENGTH
                    NamePrefix
@@ -19,11 +20,22 @@ SimpleSchemaRule = SIMPLE-SCHEMA-RULE-TYPE TLV-LENGTH
 PrefixSchemaRule = PREFIX-SCHEMA-RULE-TYPE TLV-LENGTH
                    NamePrefix
 
+ComponentSchemaRule = COMPONENT-SCHEMA-RULE-TYPE TLV-LENGTH
+                      NamePrefix
+                      KeyLocator
+                      NameComponentIndex
+                      KeyComponentIndex
+
+; component indices are absolute (relative to the full Data/KeyLocator names)
+NameComponentIndex = NON-NEGATIVE-INTEGER
+KeyComponentIndex = NON-NEGATIVE-INTEGER
+
 NamePrefix = Name
 
 CROSS-SCHEMA-TYPE = 600
 SIMPLE-SCHEMA-RULE-TYPE = 620
 PREFIX-SCHEMA-RULE-TYPE = 622
+COMPONENT-SCHEMA-RULE-TYPE = 624
 ```
 
 ## Usage of `CrossSchema`
@@ -129,3 +141,22 @@ During verification, the verifier:
 
 1. Checks if `NamePrefix` is a prefix of the Data name. If yes, continue; otherwise, reject.
 1. Checks if the `KeyName` appears after `NamePrefix` in the Data name. If yes, accept; otherwise, reject.
+
+### ComponentSchemaRule
+
+A ComponentSchemaRule captures a component in the full Data name (not just the suffix after the prefix) and requires the same component to appear at a specific position in the KeyLocator name. This supports invitations where the producer identifier is not the entire suffix of the Data name.
+
+For example:
+
+```ini
+Content = ComponentSchemaRule {
+  NamePrefix = /ucla.edu/wksp/collab
+  KeyLocator = /arizona.edu
+  NameComponentIndex = 3
+  KeyComponentIndex = 1
+}
+```
+
+1. The rule matches Data names that start with `/ucla.edu/wksp/collab/`, then captures the 4th component in the full name (index 3) as the producer identifier.
+1. The captured component must equal the second component (index 1) in the certificate name after `/arizona.edu`, e.g., `/arizona.edu/alice/KEY/...`.
+1. If either prefix check fails or the indexed components differ, the rule rejects the signer.

std/security/trust_config_test.go

@@ -712,6 +712,53 @@ func testTrustConfigIntra(t *testing.T, schema ndn.TrustSchema) {
 		crossSchema: apInvite,
 	}))
 
+	// Component-based rule: capture producer id between prefix and key name
+	acCollabInvite, err := trust_schema.SignCrossSchema(trust_schema.SignCrossSchemaArgs{
+		Name:   sname("/test/alice/32=INVITE/test/component/v=1"),
+		Signer: aliceSigner,
+		Content: trust_schema.CrossSchemaContent{
+			ComponentSchemaRules: []*trust_schema.ComponentSchemaRule{{
+				NamePrefix:         sname("/test/alice/app/test"),
+				KeyLocator:         &spec.KeyLocator{Name: sname("/test")},
+				NameComponentIndex: 4, // /test alice app test bob -> capture "bob"
+				KeyComponentIndex:  1, // /test bob KEY...
+			}},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour),
+	})
+	require.NoError(t, err)
+
+	// Bob cannot sign in alice namespace without the cross schema
+	require.False(t, validateSync(ValidateSyncOptions{
+		name:   "/test/alice/app/test/bob/component1",
+		signer: bobSigner,
+	}))
+
+	// Bob and Cathy can publish if their id appears in the captured position
+	require.True(t, validateSync(ValidateSyncOptions{
+		name:        "/test/alice/app/test/bob/component1",
+		signer:      bobSigner,
+		crossSchema: acCollabInvite,
+	}))
+	require.True(t, validateSync(ValidateSyncOptions{
+		name:        "/test/alice/app/test/cathy/component2",
+		signer:      cathySigner,
+		crossSchema: acCollabInvite,
+	}))
+
+	// Mismatched captured component is rejected
+	require.False(t, validateSync(ValidateSyncOptions{
+		name:        "/test/alice/app/test/cathy/component2",
+		signer:      bobSigner,
+		crossSchema: acCollabInvite,
+	}))
+	require.False(t, validateSync(ValidateSyncOptions{
+		name:        "/test/alice/app/test",
+		signer:      cathySigner,
+		crossSchema: acCollabInvite,
+	}))
+
 	// Malicious cross schema created by bob for bob
 	bobMCross, err := trust_schema.SignCrossSchema(trust_schema.SignCrossSchemaArgs{
 		Name:   sname("/test/alice/32=INVITE/test/bob/v=1"),

std/security/trust_schema/cross_schema.go

@@ -103,5 +103,28 @@ func (cross *CrossSchemaContent) Match(dataName enc.Name, certName enc.Name) boo
 		}
 	}
 
+	for _, rule := range cross.ComponentSchemaRules {
+		if rule == nil || rule.NamePrefix == nil || rule.KeyLocator == nil || rule.KeyLocator.Name == nil {
+			continue
+		}
+
+		if !rule.NamePrefix.IsPrefix(dataName) || !rule.KeyLocator.Name.IsPrefix(certName) {
+			continue
+		}
+
+		if uint64(len(dataName)) <= rule.NameComponentIndex {
+			continue
+		}
+		if uint64(len(certName)) <= rule.KeyComponentIndex {
+			continue
+		}
+
+		dataComp := dataName[int(rule.NameComponentIndex)]
+		certComp := certName[int(rule.KeyComponentIndex)]
+		if dataComp.Equal(certComp) {
+			return true
+		}
+	}
+
 	return false
 }

std/security/trust_schema/cross_schema_test.go

@@ -55,3 +55,27 @@ func TestSignCrossSchema(t *testing.T) {
 	require.Equal(t, T1.Unix(), nb.Unwrap().Unix())
 	require.Equal(t, T2.Unix(), na.Unwrap().Unix())
 }
+
+func TestCrossSchemaComponentRuleMatch(t *testing.T) {
+	tu.SetT(t)
+
+	dataName := tu.NoErr(enc.NameFromStr("/app/invite/team/alice/data"))
+	certName := tu.NoErr(enc.NameFromStr("/users/alice/KEY/kid/iss/ver"))
+
+	cross := trust_schema.CrossSchemaContent{
+		ComponentSchemaRules: []*trust_schema.ComponentSchemaRule{{
+			NamePrefix:         tu.NoErr(enc.NameFromStr("/app/invite")),
+			KeyLocator:         &spec_2022.KeyLocator{Name: tu.NoErr(enc.NameFromStr("/users"))},
+			NameComponentIndex: 3, // capture "alice" in full data name
+			KeyComponentIndex:  1, // expect it immediately after "/users" in cert name
+		}},
+	}
+
+	require.True(t, cross.Match(dataName, certName))
+
+	mismatchCert := tu.NoErr(enc.NameFromStr("/users/bob/KEY/kid/iss/ver"))
+	require.False(t, cross.Match(dataName, mismatchCert))
+
+	shortName := tu.NoErr(enc.NameFromStr("/app/invite/team"))
+	require.False(t, cross.Match(shortName, certName))
+}

std/security/trust_schema/definitions_crossschema.go

@@ -11,6 +11,8 @@ type CrossSchemaContent struct {
 	SimpleSchemaRules []*SimpleSchemaRule `tlv:"0x26C"`
 	//+field:sequence:*PrefixSchemaRule:struct:PrefixSchemaRule
 	PrefixSchemaRules []*PrefixSchemaRule `tlv:"0x26E"`
+	//+field:sequence:*ComponentSchemaRule:struct:ComponentSchemaRule
+	ComponentSchemaRules []*ComponentSchemaRule `tlv:"0x270"`
 }
 
 type SimpleSchemaRule struct {
@@ -24,3 +26,14 @@ type PrefixSchemaRule struct {
 	//+field:name
 	NamePrefix enc.Name `tlv:"0x07"`
 }
+
+type ComponentSchemaRule struct {
+	//+field:name
+	NamePrefix enc.Name `tlv:"0x07"`
+	//+field:struct:spec_2022.KeyLocator
+	KeyLocator *spec_2022.KeyLocator `tlv:"0x1c"`
+	//+field:natural
+	NameComponentIndex uint64 `tlv:"0x271"`
+	//+field:natural
+	KeyComponentIndex uint64 `tlv:"0x272"`
+}