Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 1 | Security Library Tutorial |
| 2 | ========================= |
| 3 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 4 | .. contents:: |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 5 | |
| 6 | Identity, Key and Certificates |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 7 | ------------------------------ |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 8 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 9 | All keys, certificates and their corresponding identities are managed by :ndn-cxx:`KeyChain`. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 10 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 11 | An real world **identity** can be expressed by a namespace. (e.g., |
| 12 | ``/ndn/edu/ucla/alice``, or ``/ndn/edu/ucla/BoelterHall/4805``). |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 13 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 14 | **Keys** belonging to an identity are named under the identity's namespace, with a unique |
| 15 | **KeyId**:: |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 16 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 17 | /<identity_name>/[KeyId] |
| 18 | |
| 19 | For now, only two types of KeyId are specified: ``ksk-[timestamp]`` and |
| 20 | ``dsk-[timestamp]``. The first type of KeyId is used to denote Key-Signing-Key (KSK) |
| 21 | which is supposed to have a long lifetime. The second type of KeyId is used to denote |
| 22 | Data-Signing-Key (DSK) which is supposed to have a short lifetime. Both types of KeyId |
| 23 | use timestamps (number of milliseconds since unix epoch) to provide relative uniqueness of |
| 24 | key names. Replacing timestamp with key hash can bring stronger uniqueness but on the |
| 25 | cost of longer name. Therefore, key hash is not used for now. For example, |
| 26 | ``/ndn/edu/ucla/alice/ksk-1234567890`` or |
| 27 | ``/ndn/edu/ucla/BoelterHall/4805/dsk-1357924680``. |
| 28 | |
| 29 | An identity may have more than one keys associated with it. For example, one may have a |
| 30 | KSK to sign other keys and a DSK to sign data packets, or one may periodically replace its |
| 31 | expired DSK/KSK with a new key. |
| 32 | |
| 33 | The private part of a key ("private key"), is stored in a :ndn-cxx:`Trusted Platform |
| 34 | Module (TPM) <SecTpm>`. The public part ("public key"), is managed in a |
| 35 | :ndn-cxx:`Public-key Information Base (PIB) <SecPublicInfo>`. The most important |
| 36 | information managed by PIB is **certificates** of public keys. A certificate binds a |
| 37 | public key to its key name or the corresponding identity. The signer (or issuer) of a |
| 38 | certificate vouches for the binding through its own signature. With different signers |
| 39 | vouching for the binding, a public key may have more than one certificates. |
| 40 | |
| 41 | The certificate name follows the naming convention of `NDNS (NDN Domain Name Service) <http://lasr.cs.ucla.edu/afanasyev/data/files/Afanasyev/afanasyev-phd-thesis.pdf>`_. The |
| 42 | public key name will be broken into two parts: |
| 43 | |
| 44 | - The first part ("authoritative namespace") will be put before a name component ``KEY`` |
| 45 | which serves as an application tag |
| 46 | - The second part ("label") will be put between ``KEY`` and ``ID-CERT`` which serves as an |
| 47 | indicator of certificate. |
| 48 | |
| 49 | A version number of the certificate is appended after ``ID-CERT``. For example, |
| 50 | ``/ndn/edu/ucla/KEY/alice/ksk-1234567890/ID-CERT/%FD%01`` or |
| 51 | ``/ndn/edu/ucla/BoelterHall/4805/KEY/dsk-1357924680/ID-CERT/%FD%44``. |
| 52 | |
| 53 | The :ndn-cxx:`NDN certificate <IdentityCertificate>` is just an ordinary `NDN-TLV Data |
| 54 | packet <http://named-data.net/doc/ndn-tlv/data.html>`_, with the content part in DER |
| 55 | encoding that resembles X.509 certificate: |
| 56 | |
| 57 | .. code-block:: cpp |
| 58 | |
| 59 | // NDN-TLV Encoding |
| 60 | Certificate ::= DATA-TLV TLV-LENGTH |
| 61 | Name |
| 62 | MetaInfo (= CertificateMetaInfo) |
| 63 | Content (= CertificateContent) |
| 64 | Signature |
| 65 | |
| 66 | CertificateMetaInfo ::= META-INFO-TYPE TLV-LENGTH |
| 67 | ContentType (= KEY) |
| 68 | FreshnessPeriod (= ?) |
| 69 | |
| 70 | |
| 71 | CertificateContent ::= CONTENT-TYPE TLV-LENGTH |
| 72 | CertificateDerPayload |
| 73 | |
| 74 | |
| 75 | // DER Encoding |
| 76 | CertificateDerPayload ::= SEQUENCE { |
| 77 | validity Validity, |
| 78 | subject Name, |
| 79 | subjectPubKeyInfo SubjectPublicKeyInfo, |
| 80 | extension Extensions OPTIONAL } |
| 81 | |
| 82 | Validity ::= SEQUENCE { |
| 83 | notBefore Time, |
| 84 | notAfter Time } |
| 85 | |
| 86 | Time ::= CHOICE { |
| 87 | GeneralizedTime } |
| 88 | |
| 89 | Name ::= CHOICE { |
| 90 | RDNSequence } |
| 91 | |
| 92 | RDNSequence ::= SEQUENCE OF RelativeDistinguishedName |
| 93 | |
| 94 | RelativeDistinguishedName ::= |
| 95 | SET OF AttributeTypeAndValue |
| 96 | |
| 97 | SubjectPublicKeyInfo ::= SEQUENCE { |
| 98 | algorithm AlgorithmIdentifier |
| 99 | keybits BIT STRING } |
| 100 | |
| 101 | Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension |
| 102 | |
| 103 | See `RFC 3280 <http://www.ietf.org/rfc/rfc3280.txt>`_ for more details about DER field |
| 104 | definitions. |
| 105 | |
| 106 | Signing |
| 107 | ------- |
| 108 | |
| 109 | Key Management |
| 110 | %%%%%%%%%%%%%% |
| 111 | |
| 112 | Create Identity/Keys/Certificate |
| 113 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 114 | |
| 115 | The simplest way to initialize an identity and its key and certificate is to call |
| 116 | :ndn-cxx:`KeyChain::createIdentity` |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 117 | |
| 118 | .. code-block:: cpp |
| 119 | |
| 120 | KeyChain keyChain; |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 121 | Name defaultCertName = keyChain.createIdentity(identity); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 122 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 123 | This method guarantees that the default key and certificate of the supplied identity |
| 124 | always exist in the KeyChain. This method checks if the supplied identity has already had |
| 125 | a default key and a default certificate and returns the default certificate name if |
| 126 | exists. If the default certificate is missing, KeyChain will automatically create a |
| 127 | self-signed certificate of the default key. If the default key is missing, KeyChain will |
| 128 | automatically create a new key and set it as the default key and create a self-signed |
| 129 | certificate as well. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 130 | |
| 131 | Create Keys Manually |
| 132 | ~~~~~~~~~~~~~~~~~~~~ |
| 133 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 134 | One can call :ndn-cxx:`KeyChain::generateRsaKeyPair` to generate an RSA key pair or |
| 135 | :ndn-cxx:`KeyChain::generateEcdsaKeyPair` to generate an ECDSA key. Note that generated |
| 136 | key pair is not set as the default key of the identity, so you need to set it manually by |
| 137 | calling :ndn-cxx:`KeyChain::setDefaultKeyNameForIdentity`. There is also a helper method |
| 138 | :ndn-cxx:`KeyChain::generateRsaKeyPairAsDefault`, which combines the two steps into one. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 139 | |
| 140 | .. code-block:: cpp |
| 141 | |
| 142 | KeyChain keyChain; |
| 143 | Name alice("/ndn/test/alice"); |
| 144 | |
Junxiao Shi | e9c3db3 | 2015-02-14 19:51:28 -0700 | [diff] [blame^] | 145 | Name aliceKeyName = keyChain.generateRsaKeyPair(alice); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 146 | keyChain.setDefaultKeyNameForIdentity(aliceKeyName); |
| 147 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 148 | // Now the key with the name aliceKeyName2 becomes alice's default key |
Junxiao Shi | e9c3db3 | 2015-02-14 19:51:28 -0700 | [diff] [blame^] | 149 | Name aliceKeyName2 = keyChain.generateRsaKeyPairAsDefault(alice); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 150 | |
| 151 | Create Identity Certificate Manually |
| 152 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 153 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 154 | If you have created a key pair, you can generate a self-signed certificate for the key by |
| 155 | calling :ndn-cxx:`KeyChain::selfSign`. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 156 | |
| 157 | .. code-block:: cpp |
| 158 | |
| 159 | KeyChain keyChain; |
| 160 | Name aliceKeyName("/ndn/test/alice/ksk-1394129695025"); |
| 161 | |
| 162 | shared_ptr<IdentityCertificate> aliceCert = keyChain.selfSign(aliceKeyName); |
| 163 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 164 | You can sign a public key using a different key: |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 165 | |
| 166 | .. code-block:: cpp |
| 167 | |
| 168 | KeyChain keyChain; |
| 169 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 170 | shared_ptr<IdentityCertificate> certificate = |
| 171 | keyChain.prepareUnsignedIdentityCertificate(publicKeyName, publicKey, |
| 172 | signingIdentity, |
| 173 | notBefore, notAfter, |
| 174 | subjectDescription, prefix |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 175 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 176 | keyChain.signByIdentity(*certificate, signingIdentity); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 177 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 178 | Signing Data |
| 179 | %%%%%%%%%%%% |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 180 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 181 | Although the security library does not have the intelligence to automatically determine |
| 182 | the signing key for each data packet, it still provides a mechanism, called **Default |
| 183 | Signing Settings**, to facilitate signing process. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 184 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 185 | The basic signing process in the security library would be like this: create :ndn-cxx:`KeyChain` |
| 186 | instance and supply the data packet and signing certificate name to :ndn-cxx:`KeyChain::sign` |
| 187 | method. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 188 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 189 | .. code-block:: cpp |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 190 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 191 | KeyChain keyChain; |
| 192 | keyChain.sign(dataPacket, signingCertificateName); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 193 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 194 | The :ndn-cxx:`KeyChain` instance will |
| 195 | |
| 196 | - construct ``SignatureInfo`` using the signing certificate name; |
| 197 | - look up the corresponding private key in :ndn-cxx:`TPM <SecTpm>`; |
| 198 | - sign the data packet if the private key exists. |
| 199 | |
| 200 | The basic process, however, requires application developers to supply the exact |
| 201 | certificate name. Such a process has two shortages: first, it might be difficult to |
| 202 | remember the certificate name; second, application developers have to be aware of |
| 203 | certificate update and key roll-over. Therefore, the security library provides another |
| 204 | signing process in which application developers only need to supply the signing identity: |
| 205 | |
| 206 | .. code-block:: cpp |
| 207 | |
| 208 | KeyChain keyChain; |
| 209 | keyChain.signByIdentity(dataPacket, signingIdentity); |
| 210 | |
| 211 | The :ndn-cxx:`KeyChain` instance will |
| 212 | |
| 213 | - determine the default key of the signing identity; |
| 214 | - determine the default certificate of the key; |
| 215 | - construct ``SignatureInfo`` using the default certificate name; |
| 216 | - look up the corresponding private key in :ndn-cxx:`TPM <SecTpm>`; |
| 217 | - sign the data packet if the private key exists. |
| 218 | |
| 219 | The process above requires that each identity has a default key and that each key has a |
| 220 | default certificate. All these default settings is managed in :ndn-cxx:`PIB |
| 221 | <SecPublicInfo>`, one can get/set these default settings through :ndn-cxx:`KeyChain` |
| 222 | directly: |
| 223 | |
| 224 | .. code-block:: cpp |
| 225 | |
| 226 | KeyChain keyChain; |
| 227 | Name defaultKeyName = keyChain.getDefaultKeyNameForIdentity(identity); |
| 228 | Name defaultCertName = keyChain.getDefaultCertificateNameForKey(keyName); |
| 229 | |
| 230 | keyChain.setDefaultKeyNameForIdentity(keyName); |
| 231 | keyChain.setDefaultCertificateNameForKey(certificateName); |
| 232 | |
| 233 | There is even a default identity which will be used when no identity information is |
| 234 | supplied in signing method: |
| 235 | |
| 236 | .. code-block:: cpp |
| 237 | |
| 238 | KeyChain keyChain; |
| 239 | keyChain.sign(dataPacket); |
| 240 | |
| 241 | And default identity can be got/set through :ndn-cxx:`KeyChain` as well: |
| 242 | |
| 243 | .. code-block:: cpp |
| 244 | |
| 245 | KeyChain keyChain; |
| 246 | Name defaultIdentity = keyChain.getDefaultIdentity(); |
| 247 | keyChain.setDefaultIdentity(identity); |
| 248 | |
| 249 | |
| 250 | Signing Interests |
| 251 | %%%%%%%%%%%%%%%%% |
| 252 | |
| 253 | The process of signing Interests according to the :doc:`Signed Interest specification |
| 254 | <signed-interest>` is exactly the same as the process of signing Data packets: |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 255 | |
| 256 | .. code-block:: cpp |
| 257 | |
| 258 | KeyChain keyChain; |
| 259 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 260 | keyChain.sign(interest, signingCertName); |
| 261 | keyChain.signByIdentity(interest, signingIdentity); |
| 262 | keyChain.sign(interest); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 263 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 264 | Validation |
| 265 | ---------- |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 266 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 267 | Interest and Data validation is done through a **Validator**. :ndn-cxx:`Validator` is a virtual |
| 268 | class, two pure virtual methods must be implemented in order to construct a working |
| 269 | validator: |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 270 | |
| 271 | .. code-block:: cpp |
| 272 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 273 | class Validator |
| 274 | { |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 275 | ... |
| 276 | protected: |
| 277 | virtual void |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 278 | checkPolicy(const Data& data, |
| 279 | int nSteps, |
| 280 | const OnDataValidated& onValidated, |
| 281 | const OnDataValidationFailed& onValidationFailed, |
| 282 | std::vector<shared_ptr<ValidationRequest> >& nextSteps) = 0; |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 283 | |
| 284 | virtual void |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 285 | checkPolicy(const Interest& interest, |
| 286 | int nSteps, |
| 287 | const OnInterestValidated& onValidated, |
| 288 | const OnInterestValidationFailed& onValidationFailed, |
| 289 | std::vector<shared_ptr<ValidationRequest> >& nextSteps) = 0; |
| 290 | ... |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 291 | }; |
| 292 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 293 | What should be implemented in these two methods is to check: |
| 294 | |
| 295 | - whether the packet and signer comply with trust policies; |
| 296 | - whether their signature can be verified. |
| 297 | |
| 298 | If the packet can be validated, the ``onValidated`` callback should be invoked, otherwise |
| 299 | the ``onValidationFailed`` callback should be invoked. If more information (e.g., other |
| 300 | certificates) is needed, express the request for missing information in one or more |
| 301 | ``ValidationRequest`` and push them into ``nextSteps``. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 302 | |
| 303 | .. code-block:: cpp |
| 304 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 305 | class ValidationRequest |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 306 | { |
| 307 | public: |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 308 | Interest m_interest; // The Interest for the requested data/certificate. |
| 309 | OnDataValidated m_onValidated; // Callback when the retrieved certificate is authenticated. |
| 310 | OnDataValidationFailed m_onDataValidated; // Callback when the retrieved certificate cannot be authenticated. |
| 311 | int m_nRetries; // The number of retries when the interest times out. |
| 312 | int m_nStep; // The number of validation steps that have been performed. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 313 | }; |
| 314 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 315 | Besides the two ``Validator::checkPolicy`` methods, the ``Validator`` also provides three |
| 316 | hooks to control packet validation in a finer granularity. |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 317 | |
| 318 | .. code-block:: cpp |
| 319 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 320 | class Validator |
| 321 | { |
| 322 | ... |
| 323 | protected: |
| 324 | virtual shared_ptr<const Data> |
| 325 | preCertificateValidation(const Data& data); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 326 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 327 | virtual void |
| 328 | onTimeout(const Interest& interest, |
| 329 | int nRemainingRetries, |
| 330 | const OnFailure& onFailure, |
| 331 | const shared_ptr<ValidationRequest>& validationRequest); |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 332 | |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 333 | virtual void |
| 334 | afterCheckPolicy(const std::vector<shared_ptr<ValidationRequest> >& nextSteps, |
| 335 | const OnFailure& onFailure); |
| 336 | ... |
Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 337 | }; |
Yingdi Yu | 4e99f53 | 2014-08-25 19:40:57 -0700 | [diff] [blame] | 338 | |
| 339 | ``Validator::preCertificateValidation`` is triggered before validating requested |
| 340 | certificate. The Data supplied matches the interest in the ``ValidationRequest``. It may |
| 341 | be certificate or a data encapsulating certificate. This hook returns a data (actually |
| 342 | certificate) that is will be passed as Data into ``Validator::validate``; |
| 343 | |
| 344 | ``Validator::onTimeout`` is triggered when interest for certificate times out. The logic |
| 345 | to handle the timeout can be implemented in this hook. One could invoke onFailure or |
| 346 | re-express the interest. |
| 347 | |
| 348 | ``Validator::afterCheckPolicy`` is invoked after ``Validator::checkPolicy`` is done. One |
| 349 | can implement the logic of how to process the set of ValidationRequests according to its |
| 350 | trust model. |
| 351 | |
| 352 | Configuration-based Validator |
| 353 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
| 354 | |
| 355 | In most cases, the trust model of applications are simple. However, it is not trivial to |
| 356 | implement the two ``Validator::checkPolicy`` methods. Therefore, we provide a more |
| 357 | developer-friendly configuration-based validator, ``ValidatorConfig``. With |
| 358 | ``ValidatorConfig``, one can express the trust model using a policy language in a |
| 359 | configuration file. See :doc:`security-validator-config` for more details. |