Skip to content

Clean up old data validation code and remove ignoreValidity#186

Merged
tianyuan129 merged 26 commits into
named-data:mainfrom
greetingsuniverse:retired-certs
Jun 28, 2026
Merged

Clean up old data validation code and remove ignoreValidity#186
tianyuan129 merged 26 commits into
named-data:mainfrom
greetingsuniverse:retired-certs

Conversation

@greetingsuniverse

Copy link
Copy Markdown
Contributor

No description provided.

@tianyuan129 tianyuan129 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Actually it's more comprehensive than I initially thought! Huge thanks to the contribution. Just a comment here. If you think it's unnecessary I can just go merge.


// Check if certificate is valid
if sec.CertIsExpired(data) {
return ndn.ErrInvalidValue{Item: "certificate expiry"}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we make a warning here instead.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think removing this check can potentially cause the trust schema Suggest to suggest an expired signing key, this could be prevented by adding an expiry check in Suggest which makes sense to have (it doesn't currently), I'm not sure if the lack of this check would lead to other issues in the future though.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about this, we keep this rejection, but meanwhile in Suggest() we add the ValidityPeriod check?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean we won't store any expired certificate for validation caching? (the CertCache also removes expired or nearly expired certificate)

@tianyuan129 tianyuan129 Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I mean downgrade this rejection to a warning, meanwhile let Suggest() consider ValidityPeriod.

At some time points, we do need a function to purge expired certs from keychain....

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I was mistaken and just didn't notice the check for validity period in Suggest() somehow, I think this can be merged

The keychain has a function to delete certs which could be used by applications to do purging, agree there probably should be one that iterates through all of them though

@tianyuan129 tianyuan129 merged commit 3378099 into named-data:main Jun 28, 2026
9 checks passed
@greetingsuniverse greetingsuniverse deleted the retired-certs branch June 28, 2026 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants