Certificate verification alternate flow

[vchinn04]

Alternate validation flow allowing expired roots that are verified by the new root.

[Copilot]

Pull request overview

Introduces an alternate certificate validation flow that can validate data/cert chains using the packet signature timestamp (SigTime), enabling acceptance of chains involving expired roots when they can be re-authorized via a replacement root (e.g., through CertList indirection).

Changes:

• Added UseSignatureTime-gated validation path in TrustConfig to relax “current-time expiry” checks and instead enforce “signed within cert validity period” checks.
• Added SigTime support to DataConfig and the 2022 spec encoder/decoder, and updated test vectors to be deterministic by pinning SigTime.
• Added CertList helper(s) and new tests covering signature-time validation flows and cert list appending.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
std/security/trust_config.go	Adds signature-time validation flow and helpers; modifies fetch-time expiry behavior when enabled.
std/security/trust_config_test.go	Adds an end-to-end test for signature-time validation across root replacement / CertList flows.
std/security/certificate.go	Adds SigTime when signing certs; adds CertList append helper(s).
std/security/certificate_test.go	Adds a test for appending to a CertList.
std/ndn/spec.go	Extends ndn.DataConfig with SigTime.
std/ndn/spec_2022/spec.go	Implements Data SigTime decoding and auto-populates SignatureTime during encoding.
std/ndn/spec_2022/spec_test.go	Updates expected wire encodings and pins SigTime for deterministic vectors.
std/engine/basic/engine_test.go	Updates expected wire encodings and pins SigTime for deterministic vectors.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[zjkmxy]

LGTM

[zjkmxy]

nit: I think this should be set by the signer (and Interest should do the same). Otherwise, it would hard to do integration test by injection.
This is also the reason why we have Timer interface:

ndnd/std/ndn/engine.go

Lines 59 to 69 in e716745

	type Timer interface {
	// Now returns current time.
	Now() time.Time
	// Sleep sleeps for the duration.
	Sleep(time.Duration)
	// Schedule schedules the callback function to be called after the duration,
	// and returns a cancel callback to cancel the scheduled function.
	Schedule(time.Duration, func()) func() error
	// Nonce generates a random nonce.
	Nonce() []byte
	}