class WeaveKeyExportDelegate

Get the key export certificate set for the local node.

Called when the key export engine is preparing to sign a key export message. This method

is responsible for initializing certificate set and loading all certificates that will be

included or referenced in the signature of the message. The last certificate loaded must

be the signing certificate.

Release the node's certificate set.

Called when the key export engine is done with the certificate set returned by GetNodeCertSet().

Generate a signature for a key export message.

This method is responsible for computing a signature of the given hash value using the local

node's private key and writing the signature to the supplied TLV writer as a WeaveSignature

TLV structure.

Prepare for validating the peer's certificate.

Called at the start of certificate validation. This method is responsible for preparing the

supplied certificate set and validation context for use in validating the peer node's

certificate. Implementations must initialize the supplied WeaveCertificateSet object with

sufficient resources to handle the upcoming certificate validation. The implementation

must also load any necessary trusted root or CA certificates into the certificate set.

The supplied validation context will be initialized with a set of default validation

criteria, which the implementation may alter as necessary. The implementation must

either set the EffectiveTime field, or set the appropriate validation flags to suppress

certificate lifetime validation.

The implementation is required to maintain any resources allocated during BeginCertValidation()

until the corresponding EndCertValidation() is called is made. Implementations are guaranteed

that EndCertValidation() will be called exactly once for each successful call to

BeginCertValidation().

Process the results of validating the peer's certificate.

Called when validation of the peer node's certificate has completed. This method is only

called if certificate validation completes successfully. Implementations may use this call

to inspect the results of validation, and possibly override the result with an error.

For a responding node, the method is expected to verify the requestor's authority to export the

requested key.

For an initiating node, the method is expected to verify that the validated certificate properly

identifies the peer to which the key export request was sent.

Release resources associated with peer certificate validation.

Called when peer certificate validation and request verification are complete.

Verify the security of an unsigned key export message.

Called when the node receives a key export message that isn't signed. The method is expected to

verify the security of an unsigned key export message based on the context of its communication,

e.g. via the attributes of a security session used to send the message.

For a responding node, the method is expected to verify the initiator's authority to export the

requested key.

For an initiating node, the method is expected to verify the message legitimately originated from

the peer to which the key export request was sent.