remove IgnoreValidity and introduce UseSignatureTime in SVS and repo

Author: greetingsuniverse

repo/config.go

@@ -17,8 +17,6 @@ type Config struct {
 	KeyChainUri string `json:"keychain"`
 	// List of trust anchor full names.
 	TrustAnchors []string `json:"trust_anchors"`
-	// IgnoreValidity skips validity period checks when fetching remote data (e.g. SVS snapshots).
-	IgnoreValidity bool `json:"ignore_validity"`
 
 	// NameN is the parsed name of the repo service.
 	NameN enc.Name

repo/repo_mgmt.go

@@ -197,9 +197,9 @@ func (r *Repo) fetchSecurityConfig(name enc.Name) (*tlv.SecurityConfigObject, er
 
 	// Repo should validate this as normal command
 	r.client.ConsumeExt(ndn.ConsumeExtArgs{
-		Name:           name,
-		TryStore:       true,
-		IgnoreValidity: optional.Some(r.config.IgnoreValidity),
+		Name:             name,
+		TryStore:         true,
+		UseSignatureTime: optional.Some(true),
 		Callback: func(state ndn.ConsumeState) {
 			wire = append(wire, state.Content()...)
 			if state.Error() != nil {

repo/repo_svs.go

@@ -54,10 +54,10 @@ func (r *RepoSvs) Start() (err error) {
 		}
 
 		snapshot = &ndn_sync.SnapshotNodeHistory{
-			Client:         r.client,
-			Threshold:      r.cmd.HistorySnapshot.Threshold,
-			IsRepo:         true,
-			IgnoreValidity: optional.Some(r.config.IgnoreValidity),
+			Client:           r.client,
+			Threshold:        r.cmd.HistorySnapshot.Threshold,
+			IsRepo:           true,
+			UseSignatureTime: optional.Some(true),
 		}
 	}
 
@@ -78,7 +78,7 @@ func (r *RepoSvs) Start() (err error) {
 			SuppressionPeriod: 500 * time.Millisecond,
 			PeriodicTimeout:   365 * 24 * time.Hour, // basically never
 			Passive:           true,
-			IgnoreValidity:    optional.Some(r.config.IgnoreValidity),
+			UseSignatureTime:  optional.Some(true),
 		},
 		Snapshot:        snapshot,
 		MulticastPrefix: multicastPrefix,

std/ndn/client.go

@@ -129,8 +129,8 @@ type ConsumeExtArgs struct {
 	OnProgress func(status ConsumeState)
 	// NoMetadata disables fetching RDR metadata (advanced usage).
 	NoMetadata bool
-	// IgnoreValidity ignores validity period in the validation chain
-	IgnoreValidity optional.Optional[bool]
+	// UseSignatureTime checks validity period using signature time
+	UseSignatureTime optional.Optional[bool]
 }
 
 // ExpressRArgs are the arguments for the express retry API.
@@ -167,8 +167,8 @@ type ValidateExtArgs struct {
 	CertNextHop optional.Optional[uint64]
 	// UseDataNameFwHint overrides trust config option.
 	UseDataNameFwHint optional.Optional[bool]
-	// IgnoreValidity ignores validity period in the validation chain.
-	IgnoreValidity optional.Optional[bool]
+	// UseSignatureTime checks validity with signature time
+	UseSignatureTime optional.Optional[bool]
 }
 
 // Announcement are the arguments for the announce prefix API.

std/ndn/engine.go

@@ -89,6 +89,8 @@ type ExpressCallbackArgs struct {
 	// IsLocal indicates if a local copy of the Data was found.
 	// e.g. returned by ExpressR when used with TryStore.
 	IsLocal bool
+
+	UseSignatureTime optional.Optional[bool]
 }
 
 // InterestHandler represents the callback function for an Interest handler.

std/object/client_consume.go

@@ -64,7 +64,7 @@ func (c *Client) consumeObject(state *ConsumeState) {
 		// if metadata fetching is disabled, just attempt to fetch one segment
 		// with the prefix, then get the versioned name from the segment.
 		if state.args.NoMetadata {
-			c.fetchDataByPrefix(name, state.args.TryStore,
+			c.fetchDataByPrefix(name, state.args.TryStore, state.args.UseSignatureTime.GetOr(false),
 				func(data ndn.Data, err error) {
 					if err != nil {
 						state.finalizeError(err)
@@ -81,7 +81,7 @@ func (c *Client) consumeObject(state *ConsumeState) {
 		}
 
 		// fetch RDR metadata for this object
-		c.fetchMetadata(name, state.args.TryStore,
+		c.fetchMetadata(name, state.args.TryStore, state.args.UseSignatureTime.GetOr(false),
 			func(meta *rdr.MetaData, err error) {
 				if err != nil {
 					state.finalizeError(err)
@@ -107,6 +107,7 @@ func (c *Client) consumeObjectWithMeta(state *ConsumeState, meta *rdr.MetaData)
 func (c *Client) fetchMetadata(
 	name enc.Name,
 	tryStore bool,
+	useSignatureTime bool,
 	callback func(meta *rdr.MetaData, err error),
 ) {
 	log.Debug(c, "Fetching object metadata", "name", name)
@@ -130,8 +131,9 @@ func (c *Client) fetchMetadata(
 				return
 			}
 			c.ValidateExt(ndn.ValidateExtArgs{
-				Data:       args.Data,
-				SigCovered: args.SigCovered,
+				Data:             args.Data,
+				SigCovered:       args.SigCovered,
+				UseSignatureTime: optional.Some(useSignatureTime),
 				Callback: func(valid bool, err error) {
 					// validate with trust config
 					if !valid {
@@ -160,6 +162,7 @@ func (c *Client) fetchMetadata(
 func (c *Client) fetchDataByPrefix(
 	name enc.Name,
 	tryStore bool,
+	useSignatureTime bool,
 	callback func(data ndn.Data, err error),
 ) {
 	log.Debug(c, "Fetching data with prefix", "name", name)
@@ -183,8 +186,9 @@ func (c *Client) fetchDataByPrefix(
 				return
 			}
 			c.ValidateExt(ndn.ValidateExtArgs{
-				Data:       args.Data,
-				SigCovered: args.SigCovered,
+				Data:             args.Data,
+				SigCovered:       args.SigCovered,
+				UseSignatureTime: optional.Some(useSignatureTime),
 				Callback: func(valid bool, err error) {
 					if !valid {
 						callback(nil, fmt.Errorf("%w: validate by prefix failed: %w", ndn.ErrSecurity, err))

std/object/client_consume_seg.go

@@ -286,9 +286,9 @@ func (s *rrSegFetcher) handleResult(args ndn.ExpressCallbackArgs, state *Consume
 // The notable exception here is when there is a timeout, which has a separate goroutine.
 func (s *rrSegFetcher) handleData(args ndn.ExpressCallbackArgs, state *ConsumeState) {
 	s.client.ValidateExt(ndn.ValidateExtArgs{
-		Data:           args.Data,
-		SigCovered:     args.SigCovered,
-		IgnoreValidity: state.args.IgnoreValidity,
+		Data:             args.Data,
+		SigCovered:       args.SigCovered,
+		UseSignatureTime: state.args.UseSignatureTime,
 		Callback: func(valid bool, err error) {
 			if !valid {
 				state.finalizeError(fmt.Errorf("%w: validate seg failed: %w", ndn.ErrSecurity, err))

std/object/client_trust.go

@@ -46,6 +46,7 @@ func (c *Client) ValidateExt(args ndn.ValidateExtArgs) {
 		Callback:          args.Callback,
 		OverrideName:      overrideName,
 		UseDataNameFwHint: args.UseDataNameFwHint,
+		UseSignatureTime:  args.UseSignatureTime,
 		Fetch: func(name enc.Name, config *ndn.InterestConfig, callback ndn.ExpressCallbackFunc) {
 			config.NextHopId = args.CertNextHop
 			c.ExpressR(ndn.ExpressRArgs{

std/security/keychain/keychain_state.go

@@ -119,11 +119,6 @@ func (kc *keyChainState) insertCert(wire []byte) error {
 		return ndn.ErrInvalidValue{Item: "certificate name"}
 	}
 
-	// Check if certificate is valid
-	if sec.CertIsExpired(data) {
-		return ndn.ErrInvalidValue{Item: "certificate expiry"}
-	}
-
 	// Check if certificate already exists
 	for _, existing := range kc.certNames {
 		if existing.Equal(name) {

std/sync/snapshot_node_history.go

@@ -44,8 +44,8 @@ type SnapshotNodeHistory struct {
 
 	// In Repo mode, all snapshots are fetched automtically for persistence.
 	IsRepo bool
-	// IgnoreValidity ignores validity period in the validation chain
-	IgnoreValidity optional.Optional[bool]
+	// UseSignatureTime checks validity period using signature time
+	UseSignatureTime optional.Optional[bool]
 	// repoKnown is the known snapshot sequence number.
 	repoKnown SvMap[uint64]
 
@@ -162,8 +162,8 @@ func (s *SnapshotNodeHistory) idxName(node enc.Name, boot uint64) enc.Name {
 // fetchIndex fetches the latest index for a remote node.
 func (s *SnapshotNodeHistory) fetchIndex(node enc.Name, boot uint64, known uint64) {
 	s.Client.ConsumeExt(ndn.ConsumeExtArgs{
-		Name:           s.idxName(node, boot),
-		IgnoreValidity: s.IgnoreValidity,
+		Name:             s.idxName(node, boot),
+		UseSignatureTime: s.UseSignatureTime,
 		Callback: func(cstate ndn.ConsumeState) {
 			go s.handleIndex(node, boot, known, cstate)
 		},
@@ -210,9 +210,9 @@ func (s *SnapshotNodeHistory) handleIndex(node enc.Name, boot uint64, known uint
 
 			snapName := s.snapName(node, boot).WithVersion(seqNo)
 			s.Client.ConsumeExt(ndn.ConsumeExtArgs{
-				Name:           snapName,
-				IgnoreValidity: s.IgnoreValidity,
-				Callback:       func(cstate ndn.ConsumeState) { snapC <- cstate },
+				Name:             snapName,
+				UseSignatureTime: s.UseSignatureTime,
+				Callback:         func(cstate ndn.ConsumeState) { snapC <- cstate },
 			})
 
 			scstate := <-snapC