Add certificate fetcher of ndns-appcert and ndns-cert

Validators are updated accordingly

Change-Id: Ibdee00b8f20243448a2ba3011ca87f85ce1ea516
diff --git a/src/clients/iterative-query-controller.hpp b/src/clients/iterative-query-controller.hpp
index b1a0995..83bf856 100644
--- a/src/clients/iterative-query-controller.hpp
+++ b/src/clients/iterative-query-controller.hpp
@@ -160,6 +160,11 @@
 std::ostream&
 operator<<(std::ostream& os, const IterativeQueryController::QueryStep step);
 
+// Used if you want the controller's lifetime equals to other object inherited
+// from TagHost. For example, in the CertificateFetcher, the queryController's
+// lifetime is equal to ValidationState.
+using IterativeQueryTag = SimpleTag<shared_ptr<IterativeQueryController>, 1086>;
+
 } // namespace ndns
 } // namespace ndn
 
diff --git a/src/mgmt/management-tool.cpp b/src/mgmt/management-tool.cpp
index d4d64e1..8d01211 100644
--- a/src/mgmt/management-tool.cpp
+++ b/src/mgmt/management-tool.cpp
@@ -125,7 +125,7 @@
     dkey = m_keyChain.createKey(dkeyIdentity);
     m_keyChain.deleteCertificate(dkey, dkey.getDefaultCertificate().getName());
 
-    dkeyCert = CertHelper::createCertificate(m_keyChain, dkey, dkey, label::CERT_RR_TYPE.toUri(), time::days(90));
+    dkeyCert = CertHelper::createCertificate(m_keyChain, dkey, dkey, label::CERT_RR_TYPE.toUri(), certValidity);
     dkeyCert.setFreshnessPeriod(cacheTtl);
     m_keyChain.addCertificate(dkey, dkeyCert);
     NDNS_LOG_INFO("Generated DKEY: " << dkeyCert.getName());
@@ -141,7 +141,7 @@
     // delete automatically generated certificates,
     // because its issue is 'self' instead of CERT_RR_TYPE
     m_keyChain.deleteCertificate(ksk, ksk.getDefaultCertificate().getName());
-    kskCert = CertHelper::createCertificate(m_keyChain, ksk, dkey, label::CERT_RR_TYPE.toUri(), time::days(90));
+    kskCert = CertHelper::createCertificate(m_keyChain, ksk, dkey, label::CERT_RR_TYPE.toUri(), certValidity);
     kskCert.setFreshnessPeriod(cacheTtl);
     m_keyChain.addCertificate(ksk, kskCert);
     NDNS_LOG_INFO("Generated KSK: " << kskCert.getName());
@@ -298,10 +298,6 @@
 void
 ManagementTool::addRrset(Rrset& rrset)
 {
-  if (rrset.getLabel().size() > 1) {
-    BOOST_THROW_EXCEPTION(Error("Cannot add rrset with label size > 1, should use addMultiLevelLabelRrset instead"));
-  }
-
   // check that it does not override existing AUTH
   Rrset rrsetCopy = rrset;
   rrsetCopy.setType(label::NS_RR_TYPE);
@@ -362,7 +358,11 @@
   }
 
   if (needResign) {
-    m_keyChain.sign(*data, signingByCertificate(dskCertName));
+    // TODO validityPeriod should be able to be configured
+    SignatureInfo info;
+    info.setValidityPeriod(security::ValidityPeriod(time::system_clock::now(),
+                                                    time::system_clock::now() + DEFAULT_CERT_TTL));
+    m_keyChain.sign(*data, signingByCertificate(dskCertName).setSignatureInfo(info));
   }
 
   // create response for the input data
diff --git a/src/mgmt/management-tool.hpp b/src/mgmt/management-tool.hpp
index 4c50c16..715ee18 100644
--- a/src/mgmt/management-tool.hpp
+++ b/src/mgmt/management-tool.hpp
@@ -148,9 +148,6 @@
 
   /** @brief Add rrset to the NDNS local database
    *
-   *  @throw Error if the @p rrset label size is larger than 1 or @p rrset will override an
-   *               existing AUTH record
-   *
    *  @param rrset rrset
    */
   void
diff --git a/src/util/cert-helper.hpp b/src/util/cert-helper.hpp
index 8e7297f..6fd5f20 100644
--- a/src/util/cert-helper.hpp
+++ b/src/util/cert-helper.hpp
@@ -63,7 +63,6 @@
                     const time::seconds& certValidity = time::days(10));
 };
 
-
 } // namespace ndns
 } // namespace ndn
 
diff --git a/src/validator/certificate-fetcher-ndns-appcert.cpp b/src/validator/certificate-fetcher-ndns-appcert.cpp
new file mode 100644
index 0000000..28f81b5
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-appcert.cpp
@@ -0,0 +1,126 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "certificate-fetcher-ndns-appcert.hpp"
+#include "certificate-fetcher-ndns-cert.hpp"
+#include "clients/iterative-query-controller.hpp"
+
+#include "validator.hpp"
+#include "clients/response.hpp"
+
+namespace ndn {
+namespace ndns {
+
+using security::v2::Certificate;
+
+CertificateFetcherAppCert::CertificateFetcherAppCert(Face& face,
+                                                     size_t nsCacheSize,
+                                                     size_t startComponentIndex)
+  : m_face(face)
+  , m_validator(NdnsValidatorBuilder::create(face, nsCacheSize, startComponentIndex))
+  , m_startComponentIndex(startComponentIndex)
+{
+  m_nsCache = dynamic_cast<CertificateFetcherNdnsCert&>(m_validator->getFetcher()).getNsCache();
+}
+
+void
+CertificateFetcherAppCert::doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                   const shared_ptr<security::v2::ValidationState>& state,
+                                   const ValidationContinuation& continueValidation)
+{
+  const Name& key = certRequest->m_interest.getName();
+  auto query = make_shared<IterativeQueryController>(key,
+                                                     label::APPCERT_RR_TYPE,
+                                                     certRequest->m_interest.getInterestLifetime(),
+                                                     [=] (const Data& data, const Response& response) {
+                                                       onQuerySuccessCallback(data, certRequest, state, continueValidation);
+                                                     },
+                                                     [=] (uint32_t errCode, const std::string& errMsg) {
+                                                       onQueryFailCallback(errMsg, certRequest, state, continueValidation);
+                                                     },
+                                                     m_face,
+                                                     nullptr,
+                                                     m_nsCache);
+  query->setStartComponentIndex(m_startComponentIndex);
+  query->start();
+  state->setTag(make_shared<IterativeQueryTag>(query));
+}
+
+void
+CertificateFetcherAppCert::onQuerySuccessCallback(const Data& data,
+                                                  const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                                  const shared_ptr<security::v2::ValidationState>& state,
+                                                  const ValidationContinuation& continueValidation)
+{
+  m_validator->validate(data,
+                        [=] (const Data& data) {
+                          onValidationSuccessCallback(data, certRequest, state, continueValidation);
+                        },
+                        [=] (const Data& data,
+                             const security::v2::ValidationError& errStr) {
+                          onValidationFailCallback(errStr, certRequest, state, continueValidation);
+                        });
+}
+
+void
+CertificateFetcherAppCert::onQueryFailCallback(const std::string& errMsg,
+                                               const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                               const shared_ptr<security::v2::ValidationState>& state,
+                                               const ValidationContinuation& continueValidation)
+{
+  state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate due to " +
+        errMsg + " `" + certRequest->m_interest.getName().toUri() + "`"});
+}
+
+void
+CertificateFetcherAppCert::onValidationSuccessCallback(const Data& data,
+                                                       const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                                       const shared_ptr<security::v2::ValidationState>& state,
+                                                       const ValidationContinuation& continueValidation)
+{
+  if (data.getContentType() == NDNS_NACK) {
+    state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate: get a Nack "
+          "in query `" + certRequest->m_interest.getName().toUri() + "`"});
+    return;
+  }
+
+  Certificate cert;
+  try {
+    cert = Certificate(data.getContent().blockFromValue());
+  }
+  catch (const ndn::tlv::Error& e) {
+    return state->fail({security::v2::ValidationError::Code::MALFORMED_CERT, "Fetched a malformed certificate "
+          "`" + data.getName().toUri() + "` (" + e.what() + ")"});
+  }
+  continueValidation(cert, state);
+}
+
+void
+CertificateFetcherAppCert::onValidationFailCallback(const security::v2::ValidationError& err,
+                                                    const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                                    const shared_ptr<security::v2::ValidationState>& state,
+                                                    const ValidationContinuation& continueValidation)
+{
+  state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT,
+        "Cannot fetch certificate due to NDNS validation error :"
+        + err.getInfo() + " `" + certRequest->m_interest.getName().toUri() + "`"});
+}
+
+} // namespace ndns
+} // namespace ndn
diff --git a/src/validator/certificate-fetcher-ndns-appcert.hpp b/src/validator/certificate-fetcher-ndns-appcert.hpp
new file mode 100644
index 0000000..2bd9305
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-appcert.hpp
@@ -0,0 +1,103 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_APPCERT_HPP
+#define NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_APPCERT_HPP
+
+#include <ndn-cxx/ims/in-memory-storage.hpp>
+#include <ndn-cxx/security/v2/validator.hpp>
+
+namespace ndn {
+namespace ndns {
+
+/**
+ * @brief Fetch NDNS-stored application certificate(APPCERT type record)
+ * By an iterative-query process, it will retrieve the record, execute authentications,
+ * and de-encapsulate record to get application's certificate.
+ */
+class CertificateFetcherAppCert : public security::v2::CertificateFetcher
+{
+public:
+  explicit
+  CertificateFetcherAppCert(Face& face,
+                            size_t nsCacheSize = 500,
+                            size_t startComponentIndex = 0);
+
+protected:
+  /**
+   * @brief retrive appcert record, validate, and de-encapsulate
+   * This method will first retrive the record by an iterative query.
+   * Then it will pass it to validator.
+   * If validated, de-encapsulate and call continueValidation.
+   */
+  void
+  doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+          const shared_ptr<security::v2::ValidationState>& state,
+          const ValidationContinuation& continueValidation) override;
+
+private:
+  /**
+   * @brief Callback invoked when rrset is retrived, including nack
+   */
+  void
+  onQuerySuccessCallback(const Data& data,
+                         const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                         const shared_ptr<security::v2::ValidationState>& state,
+                         const ValidationContinuation& continueValidation);
+
+  /**
+   * @brief Callback invoked when iterative query failed
+   *
+   * @todo retry for some amount of time
+   */
+  void
+  onQueryFailCallback(const std::string& errMsg,
+                      const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                      const shared_ptr<security::v2::ValidationState>& state,
+                      const ValidationContinuation& continueValidation);
+
+  /**
+   * @brief Callback invoked when rrset validation succeeded
+   */
+  void
+  onValidationSuccessCallback(const Data& data,
+                              const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                              const shared_ptr<security::v2::ValidationState>& state,
+                              const ValidationContinuation& continueValidation);
+
+  /**
+   * @brief Callback invoked when rrset validation failed
+   */
+  void
+  onValidationFailCallback(const security::v2::ValidationError& err,
+                           const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                           const shared_ptr<security::v2::ValidationState>& state,
+                           const ValidationContinuation& continueValidation);
+
+private:
+  Face& m_face;
+  unique_ptr<security::v2::Validator> m_validator;
+  InMemoryStorage* m_nsCache;
+  size_t m_startComponentIndex;
+};
+
+} // namespace ndns
+} // namespace ndn
+
+#endif // NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_APPCERT_HPP
\ No newline at end of file
diff --git a/src/validator/certificate-fetcher-ndns-cert.cpp b/src/validator/certificate-fetcher-ndns-cert.cpp
new file mode 100644
index 0000000..8131bea
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-cert.cpp
@@ -0,0 +1,207 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "certificate-fetcher-ndns-cert.hpp"
+#include "clients/iterative-query-controller.hpp"
+#include "clients/response.hpp"
+#include "logger.hpp"
+
+#include <ndn-cxx/encoding/tlv.hpp>
+#include <ndn-cxx/ims/in-memory-storage-fifo.hpp>
+
+namespace ndn {
+namespace ndns {
+
+using security::v2::Certificate;
+
+NDNS_LOG_INIT("CertificateFetcherNdnsCert")
+
+CertificateFetcherNdnsCert::CertificateFetcherNdnsCert(Face& face,
+                                                       size_t nsCacheSize,
+                                                       size_t startComponentIndex)
+  : m_face(face)
+  , m_nsCache(make_unique<InMemoryStorageFifo>(nsCacheSize))
+  , m_startComponentIndex(startComponentIndex)
+{}
+
+void
+CertificateFetcherNdnsCert::doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                    const shared_ptr<security::v2::ValidationState>& state,
+                                    const ValidationContinuation& continueValidation)
+{
+  using IterativeQueryTag = SimpleTag<shared_ptr<IterativeQueryController>, 1086>;
+  const Name& key = certRequest->m_interest.getName();
+  Name domain = calculateDomain(key);
+  if (domain.size() == m_startComponentIndex) {
+    // NS record does not exist, since the domain is actually globally routable
+    nsFailCallback("[skipped] zone name " + domain.toUri()
+                   + " is globally routable because startComponentIndex="
+                   + std::to_string(m_startComponentIndex),
+                   certRequest, state, continueValidation);
+    return ;
+  }
+
+  auto query = make_shared<IterativeQueryController>(domain,
+                                                     label::NS_RR_TYPE,
+                                                     certRequest->m_interest.getInterestLifetime(),
+                                                     [=] (const Data& data, const Response& response) {
+                                                       nsSuccessCallback(data, certRequest, state, continueValidation);
+                                                     },
+                                                     [=] (uint32_t errCode, const std::string& errMsg) {
+                                                       nsFailCallback(errMsg, certRequest, state, continueValidation);
+                                                     },
+                                                     m_face,
+                                                     nullptr,
+                                                     m_nsCache.get());
+  query->setStartComponentIndex(m_startComponentIndex);
+  query->start();
+  auto queryTag = make_shared<IterativeQueryTag>(query);
+  state->setTag(queryTag);
+}
+
+void
+CertificateFetcherNdnsCert::nsSuccessCallback(const Data& data,
+                                              const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                              const shared_ptr<security::v2::ValidationState>& state,
+                                              const ValidationContinuation& continueValidation)
+{
+  Name interestName(certRequest->m_interest.getName());
+  interestName.append(label::CERT_RR_TYPE);
+  Interest interest(interestName);
+
+  if (data.getContentType() == NDNS_LINK) {
+    Link link(data.wireEncode());
+    if (!link.getDelegationList().empty()) {
+      interest.setForwardingHint(link.getDelegationList());
+      NDNS_LOG_INFO(" [* -> *] sending interest with LINK:" << interestName);
+    }
+    else {
+      NDNS_LOG_INFO(" [* -> *] sending interest without LINK (empty delegation set):" << interestName);
+    }
+  }
+  else {
+    NDNS_LOG_WARN("fail to get NS rrset of " << interestName << " , returned data type:" << data.getContentType());
+  }
+
+  m_face.expressInterest(interest,
+                         [=] (const Interest& interest, const Data& data) {
+                           dataCallback(data, certRequest, state, continueValidation);
+                         },
+                         [=] (const Interest& interest, const lp::Nack& nack) {
+                           nackCallback(nack, certRequest, state, continueValidation);
+                         },
+                         [=] (const Interest& interest) {
+                           timeoutCallback(certRequest, state, continueValidation);
+                         });
+}
+
+void
+CertificateFetcherNdnsCert::nsFailCallback(const std::string& errMsg,
+                                           const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                           const shared_ptr<security::v2::ValidationState>& state,
+                                           const ValidationContinuation& continueValidation)
+{
+  NDNS_LOG_WARN("Cannot fetch link due to " +
+                errMsg + " `" + certRequest->m_interest.getName().toUri() + "`");
+
+  Name interestName(certRequest->m_interest.getName());
+  interestName.append(label::CERT_RR_TYPE);
+  Interest interest(interestName);
+  m_face.expressInterest(interest,
+                         [=] (const Interest& interest, const Data& data) {
+                           dataCallback(data, certRequest, state, continueValidation);
+                         },
+                         [=] (const Interest& interest, const lp::Nack& nack) {
+                           nackCallback(nack, certRequest, state, continueValidation);
+                         },
+                         [=] (const Interest& interest) {
+                           timeoutCallback(certRequest, state, continueValidation);
+                         });
+}
+
+Name
+CertificateFetcherNdnsCert::calculateDomain(const Name& key)
+{
+  for (size_t i = 0; i < key.size(); i++) {
+    if (key[i] == label::NDNS_ITERATIVE_QUERY) {
+      return key.getPrefix(i);
+    }
+  }
+  BOOST_THROW_EXCEPTION(std::runtime_error(key.toUri() + " is not a legal NDNS certificate name"));
+}
+
+void
+CertificateFetcherNdnsCert::dataCallback(const Data& data,
+                                         const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                         const shared_ptr<security::v2::ValidationState>& state,
+                                         const ValidationContinuation& continueValidation)
+{
+  NDNS_LOG_DEBUG("Fetched certificate from network " << data.getName());
+
+  Certificate cert;
+  try {
+    cert = Certificate(data);
+  }
+  catch (const ndn::tlv::Error& e) {
+    return state->fail({security::v2::ValidationError::Code::MALFORMED_CERT, "Fetched a malformed certificate "
+                        "`" + data.getName().toUri() + "` (" + e.what() + ")"});
+  }
+  continueValidation(cert, state);
+}
+
+void
+CertificateFetcherNdnsCert::nackCallback(const lp::Nack& nack,
+                                         const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                         const shared_ptr<security::v2::ValidationState>& state,
+                                         const ValidationContinuation& continueValidation)
+{
+  NDNS_LOG_DEBUG("NACK (" << nack.getReason() <<  ") while fetching certificate "
+                 << certRequest->m_interest.getName());
+
+  --certRequest->m_nRetriesLeft;
+  if (certRequest->m_nRetriesLeft >= 0) {
+    // TODO implement delay for the the next fetch
+    fetch(certRequest, state, continueValidation);
+  }
+  else {
+    state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+                 "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+  }
+}
+
+void
+CertificateFetcherNdnsCert::timeoutCallback(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                                            const shared_ptr<security::v2::ValidationState>& state,
+                                            const ValidationContinuation& continueValidation)
+{
+  NDNS_LOG_DEBUG("Timeout while fetching certificate " << certRequest->m_interest.getName()
+                 << ", retrying");
+
+  --certRequest->m_nRetriesLeft;
+  if (certRequest->m_nRetriesLeft >= 0) {
+    fetch(certRequest, state, continueValidation);
+  }
+  else {
+    state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+                 "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+  }
+}
+
+} // namespace ndns
+} // namespace ndn
diff --git a/src/validator/certificate-fetcher-ndns-cert.hpp b/src/validator/certificate-fetcher-ndns-cert.hpp
new file mode 100644
index 0000000..a67e5b0
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-cert.hpp
@@ -0,0 +1,123 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_CERT_HPP
+#define NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_CERT_HPP
+
+#include <ndn-cxx/face.hpp>
+#include <ndn-cxx/ims/in-memory-storage.hpp>
+#include <ndn-cxx/security/v2/certificate-fetcher.hpp>
+
+namespace ndn {
+namespace ndns {
+
+/**
+ * @brief Fetch NDNS-owned certificate by an iterative query process
+ */
+class CertificateFetcherNdnsCert : public security::v2::CertificateFetcher
+{
+public:
+  explicit
+  CertificateFetcherNdnsCert(Face& face,
+                             size_t nsCacheSize = 100,
+                             size_t startComponentIndex = 0);
+
+  InMemoryStorage*
+  getNsCache()
+  {
+    return m_nsCache.get();
+  }
+
+protected:
+  void
+  doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+          const shared_ptr<security::v2::ValidationState>& state,
+          const ValidationContinuation& continueValidation) override;
+
+private:
+  /**
+   * @brief Callback invoked when NS rrset of the domain is retrived, including nack rrset
+   */
+  void
+  nsSuccessCallback(const Data& data,
+                    const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                    const shared_ptr<security::v2::ValidationState>& state,
+                    const ValidationContinuation& continueValidation);
+
+  /**
+   * @brief Callback invoked when iterative query failed
+   *
+   * @todo retry for some amount of time
+   */
+  void
+  nsFailCallback(const std::string& errMsg,
+                 const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                 const shared_ptr<security::v2::ValidationState>& state,
+                 const ValidationContinuation& continueValidation);
+
+  /**
+   * @brief get NDNS query's domainName and label name by parsing keylocator
+   *
+   * The return result is the name prefix before "/NDNS"
+   */
+  Name
+  calculateDomain(const Name& key);
+
+  /**
+   * @brief Callback invoked when certificate is retrieved.
+   */
+  void
+  dataCallback(const Data& data,
+               const shared_ptr<security::v2::CertificateRequest>& certRequest,
+               const shared_ptr<security::v2::ValidationState>& state,
+               const ValidationContinuation& continueValidation);
+  /**
+   * @brief Callback invoked when interest for fetching certificate gets NACKed.
+   *
+   * It will retry if certRequest->m_nRetriesLeft > 0
+   *
+   * @todo Delay retry for some amount of time
+   */
+  void
+  nackCallback(const lp::Nack& nack,
+               const shared_ptr<security::v2::CertificateRequest>& certRequest,
+               const shared_ptr<security::v2::ValidationState>& state,
+               const ValidationContinuation& continueValidation);
+
+  /**
+   * @brief Callback invoked when interest for fetching certificate times out.
+   *
+   * It will retry if certRequest->m_nRetriesLeft > 0
+   */
+  void
+  timeoutCallback(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+                  const shared_ptr<security::v2::ValidationState>& state,
+                  const ValidationContinuation& continueValidation);
+protected:
+  Face& m_face;
+  unique_ptr<InMemoryStorage> m_nsCache;
+
+private:
+  size_t m_startComponentIndex;
+};
+
+} // namespace ndns
+} // namespace ndn
+
+#endif // NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_CERT_HPP
\ No newline at end of file
diff --git a/src/validator/validator.cpp b/src/validator/validator.cpp
index 9eb9a2e..3497d20 100644
--- a/src/validator/validator.cpp
+++ b/src/validator/validator.cpp
@@ -18,11 +18,11 @@
  */
 
 #include "validator.hpp"
-#include "logger.hpp"
 #include "config.hpp"
+#include "certificate-fetcher-ndns-cert.hpp"
+#include "logger.hpp"
 
 #include <ndn-cxx/security/v2/validation-policy-config.hpp>
-#include <ndn-cxx/security/v2/certificate-fetcher-from-network.hpp>
 
 namespace ndn {
 namespace ndns {
@@ -32,10 +32,15 @@
 std::string NdnsValidatorBuilder::VALIDATOR_CONF_FILE = DEFAULT_CONFIG_PATH "/" "validator.conf";
 
 unique_ptr<security::v2::Validator>
-NdnsValidatorBuilder::create(Face& face, const std::string& confFile)
+NdnsValidatorBuilder::create(Face& face,
+                             size_t nsCacheSize,
+                             size_t startComponentIndex,
+                             const std::string& confFile)
 {
   auto validator = make_unique<security::v2::Validator>(make_unique<security::v2::ValidationPolicyConfig>(),
-                                                        make_unique<security::v2::CertificateFetcherFromNetwork>(face));
+                                                        make_unique<CertificateFetcherNdnsCert>(face,
+                                                                                                nsCacheSize,
+                                                                                                startComponentIndex));
   security::v2::ValidationPolicyConfig& policy = dynamic_cast<security::v2::ValidationPolicyConfig&>(validator->getPolicy());
   policy.load(confFile);
   NDNS_LOG_TRACE("Validator loads configuration: " << confFile);
diff --git a/src/validator/validator.hpp b/src/validator/validator.hpp
index da1cba1..92a4c09 100644
--- a/src/validator/validator.hpp
+++ b/src/validator/validator.hpp
@@ -34,7 +34,10 @@
   static std::string VALIDATOR_CONF_FILE;
 
   static unique_ptr<security::v2::Validator>
-  create(Face& face, const std::string& confFile = VALIDATOR_CONF_FILE);
+  create(Face& face,
+         size_t nsCacheSize = 500,
+         size_t startComponentIndex = 0,
+         const std::string& confFile = VALIDATOR_CONF_FILE);
 };
 
 } // namespace ndns