std: simplify trust-config with new API

Author: pulsejet

std/ndn/engine.go

@@ -84,6 +84,9 @@ type ExpressCallbackArgs struct {
 	NackReason uint64
 	// Error, if the result is InterestResultError.
 	Error error
+	// IsLocal indicates if a local copy of the Data was found.
+	// e.g. returned by ExpressR when used with TryStore.
+	IsLocal bool
 }
 
 // InterestHandler represents the callback function for an Interest handler.

std/object/client_trust.go

@@ -52,6 +52,7 @@ func (c *Client) ValidateExt(args ndn.ValidateExtArgs) {
 				Config:   config,
 				Retries:  3,
 				Callback: callback,
+				TryStore: c.store,
 			})
 		},
 	})

std/object/expressr.go

@@ -36,6 +36,7 @@ func ExpressR(engine ndn.Engine, args ndn.ExpressRArgs) {
 						Data:       data,
 						RawData:    wire,
 						SigCovered: sigCov,
+						IsLocal:    true,
 					})
 				})
 				return

std/security/trust_config.go

@@ -9,6 +9,7 @@ import (
 	"github.com/named-data/ndnd/std/ndn"
 	spec "github.com/named-data/ndnd/std/ndn/spec_2022"
 	"github.com/named-data/ndnd/std/security/signer"
+	"github.com/named-data/ndnd/std/utils"
 )
 
 // TrustConfig is the configuration of the trust module.
@@ -85,6 +86,7 @@ type TrustConfigValidateArgs struct {
 	DataSigCov enc.Wire
 
 	// Fetch is the fetch function to use for fetching certificates.
+	// The fetcher MUST check the store for the certificate before fetching.
 	Fetch func(enc.Name, *ndn.InterestConfig, ndn.ExpressCallbackFunc)
 	// Callback is the callback to call when validation is done.
 	Callback func(bool, error)
@@ -253,33 +255,6 @@ func (tc *TrustConfig) Validate(args TrustConfigValidateArgs) {
 		return
 	}
 
-	// Attempt to get cert from store.
-	if storeCertBytes, err := tc.keychain.Store().Get(keyLocator, true); err != nil { // store is broken (panic)
-		log.Error(tc, "Store returned error", "err", err)
-		args.Callback(false, err)
-		return
-	} else if len(storeCertBytes) > 0 {
-		// Attempt to parse the certificate
-		storeCert, storeCertCov, err := spec.Spec{}.ReadData(enc.NewBufferView(storeCertBytes))
-		if err != nil {
-			// This is not supposed to happen, misconfiguration likely
-			log.Warn(tc, "Failed to parse certificate in store", "err", err)
-		} else if CertIsExpired(storeCert) {
-			// No log, this will happen often.
-			// Try to fetch a fresh cert from network.
-		} else {
-			// The store is not trusted, we must validate the cert
-			args.cert = storeCert
-			args.certSigCov = storeCertCov
-			args.certRaw = nil // don't re-store
-			args.certIsValid = false
-
-			// Continue validation with store cert
-			tc.Validate(args)
-			return
-		}
-	}
-
 	// Cert not found, attempt to fetch from network
 	args.Fetch(keyLocator, &ndn.InterestConfig{
 		CanBePrefix: true,
@@ -312,7 +287,7 @@ func (tc *TrustConfig) Validate(args TrustConfigValidateArgs) {
 		// Call again with the fetched cert
 		args.cert = res.Data
 		args.certSigCov = res.SigCovered
-		args.certRaw = res.RawData
+		args.certRaw = utils.If(!res.IsLocal, res.RawData, nil) // prevent double insert
 		args.certIsValid = false
 
 		// Continue validation with fetched cert

std/security/trust_config_test.go

@@ -186,23 +186,39 @@ func testTrustConfig(t *testing.T, keychain ndn.KeyChain, schema ndn.TrustSchema
 	// Simulate fetch from network using engine
 	fetchCount := 0
 	fetch := func(name enc.Name, _ *ndn.InterestConfig, callback ndn.ExpressCallbackFunc) {
-		fetchCount++
-		for certName, certWire := range network {
-			if strings.HasPrefix(certName, name.String()) {
-				data, sigCov, err := spec.Spec{}.ReadData(enc.NewWireView(certWire))
-				callback(ndn.ExpressCallbackArgs{
-					Result:     ndn.InterestResultData,
-					Data:       data,
-					RawData:    certWire,
-					SigCovered: sigCov,
-					Error:      err,
-				})
-				return
+		var certWire enc.Wire = nil
+		var isLocal bool = false
+
+		// Fetch functions are required to check the store first
+		if buf, _ := keychain.Store().Get(name, true); buf != nil {
+			certWire = enc.Wire{buf}
+			isLocal = true
+		} else {
+			// Simulate fetch from network
+			fetchCount++
+			for netName, netWire := range network {
+				if strings.HasPrefix(netName, name.String()) {
+					certWire = netWire
+					break
+				}
 			}
 		}
-		callback(ndn.ExpressCallbackArgs{
-			Result: ndn.InterestResultNack,
-		})
+
+		if certWire != nil {
+			data, sigCov, err := spec.Spec{}.ReadData(enc.NewWireView(certWire))
+			callback(ndn.ExpressCallbackArgs{
+				Result:     ndn.InterestResultData,
+				Data:       data,
+				RawData:    certWire,
+				SigCovered: sigCov,
+				Error:      err,
+				IsLocal:    isLocal,
+			})
+		} else {
+			callback(ndn.ExpressCallbackArgs{
+				Result: ndn.InterestResultNack,
+			})
+		}
 	}
 
 	// Create trust config
@@ -247,10 +263,15 @@ func testTrustConfig(t *testing.T, keychain ndn.KeyChain, schema ndn.TrustSchema
 	require.True(t, validateSync("/test/bob/data1", bobSigner))
 	require.Equal(t, 1, fetchCount) // fetch bob's certificate
 	require.True(t, validateSync("/test/bob/data2", bobSigner))
-	require.Equal(t, 1, fetchCount) // cert in store
+	require.Equal(t, 1, fetchCount) // cert in cache
 	require.True(t, validateSync("/test/cathy/data1", cathySigner))
 	require.Equal(t, 1, fetchCount) // have all certificates
 
+	// Make sure that bob's cert was inserted into the store
+	if buf, _ := keychain.Store().Get(bobCertData.Name(), false); buf == nil {
+		t.Error("bob's cert not in store")
+	}
+
 	// Signing with admin key
 	require.True(t, validateSync("/test/admin/alice/data1", aliceAdminSigner))