Address review comments.

project-chip · May 8, 2023 · 05623af · 05623af
1 parent e3f8d23
commit 05623af
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 43 deletions.
diff --git a/src/darwin/Framework/CHIP/MTRCertificates.h b/src/darwin/Framework/CHIP/MTRCertificates.h
@@ -44,7 +44,11 @@ NS_ASSUME_NONNULL_BEGIN
  * If fabricID is not nil, it will be included in the subject DN of the
  * certificate.  In this case it must be a valid Matter fabric id.
  *
- * validityPeriod specifies when the certificate will be valid.
+ * validityPeriod specifies when the certificate will be valid. Note that
+ * there is currently no mechanism available in Matter to update or rotate
+ * the root certificate of a fabric installed on a device. A certificate with
+ * no expiration time can be created by specifying [NSDate distantFuture] for
+ * the end of the period.
  *
  * On failure returns nil and if "error" is not null sets *error to the relevant
  * error.
@@ -79,7 +83,9 @@ NS_ASSUME_NONNULL_BEGIN
  * If fabricID is not nil, it will be included in the subject DN of the
  * certificate.  In this case it must be a valid Matter fabric id.
  *
- * validityPeriod specifies when the certificate will be valid.
+ * validityPeriod specifies when the certificate will be valid. A certificate
+ * with no expiration time can be created by specifying [NSDate distantFuture]
+ * for the end of the period.
  *
  * On failure returns nil and if "error" is not null sets *error to the relevant
  * error.
@@ -123,7 +129,9 @@ NS_ASSUME_NONNULL_BEGIN
  * 3 numbers, which are expected to be 32-bit unsigned Case Authenticated Tag
  * values.
  *
- * validityPeriod specifies when the certificate will be valid.
+ * validityPeriod specifies when the certificate will be valid. A certificate
+ * with no expiration time can be created by specifying [NSDate distantFuture]
+ * for the end of the period.
  *
  * On failure returns nil and if "error" is not null sets *error to the relevant
  * error.

diff --git a/src/darwin/Framework/CHIP/MTRCertificates.mm b/src/darwin/Framework/CHIP/MTRCertificates.mm
@@ -62,8 +62,9 @@ + (MTRCertificateDERBytes _Nullable)createRootCertificate:(id<MTRKeypair>)keypai
                                                  fabricID:(NSNumber * _Nullable)fabricID
                                                     error:(NSError * __autoreleasing *)error
 {
-    auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now]
-                                                             duration:MTROperationalCredentialsDelegate::kCertificateValiditySecs];
+    auto * validityPeriod =
+        [[NSDateInterval alloc] initWithStartDate:[NSDate now]
+                                         duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs];
     return [self createRootCertificate:keypair issuerID:issuerID fabricID:fabricID validityPeriod:validityPeriod error:error];
 }
 
@@ -97,8 +98,9 @@ + (MTRCertificateDERBytes _Nullable)createIntermediateCertificate:(id<MTRKeypair
                                                          fabricID:(NSNumber * _Nullable)fabricID
                                                             error:(NSError * __autoreleasing *)error
 {
-    auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now]
-                                                             duration:MTROperationalCredentialsDelegate::kCertificateValiditySecs];
+    auto * validityPeriod =
+        [[NSDateInterval alloc] initWithStartDate:[NSDate now]
+                                         duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs];
     return [self createIntermediateCertificate:rootKeypair
                                rootCertificate:rootCertificate
                          intermediatePublicKey:intermediatePublicKey
@@ -140,8 +142,9 @@ + (MTRCertificateDERBytes _Nullable)createOperationalCertificate:(id<MTRKeypair>
                                            caseAuthenticatedTags:(NSSet<NSNumber *> * _Nullable)caseAuthenticatedTags
                                                            error:(NSError * __autoreleasing _Nullable * _Nullable)error
 {
-    auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now]
-                                                             duration:MTROperationalCredentialsDelegate::kCertificateValiditySecs];
+    auto * validityPeriod =
+        [[NSDateInterval alloc] initWithStartDate:[NSDate now]
+                                         duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs];
     return [self createOperationalCertificate:signingKeypair
                            signingCertificate:signingCertificate
                          operationalPublicKey:operationalPublicKey

diff --git a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h
@@ -112,7 +112,7 @@ class MTROperationalCredentialsDelegate : public chip::Controller::OperationalCr
         NSDateInterval * validityPeriod, NSData * _Nullable __autoreleasing * _Nonnull operationalCert);
 
     // 10 years.
-    static const uint32_t kCertificateValiditySecs = 10 * 365 * 24 * 60 * 60;
+    static const uint32_t kCertificateDefaultValiditySecs = 10 * 365 * 24 * 60 * 60;
 
 private:
     // notAfter times can represent "forever".

diff --git a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm
@@ -89,7 +89,7 @@
         return CHIP_ERROR_INCORRECT_STATE;
     }
 
-    auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] duration:kCertificateValiditySecs];
+    auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] duration:kCertificateDefaultValiditySecs];
     return GenerateNOC(*mIssuerKey, (mIntermediateCert != nil) ? mIntermediateCert : mRootCert, nodeId, fabricId, cats, pubkey,
         validityPeriod, noc);
 }

diff --git a/src/darwin/Framework/CHIPTests/MTRCertificateTests.m b/src/darwin/Framework/CHIPTests/MTRCertificateTests.m
@@ -21,11 +21,24 @@
 
 #import "MTRTestKeys.h"
 
-@interface MatterCertificateTests : XCTestCase
+@interface MTRCertificateTests : XCTestCase
 
 @end
 
-@implementation MatterCertificateTests
+@implementation MTRCertificateTests
+
+/**
+ * Helper function for creating start dates rounded to the nearest second (and
+ * which can therefore be represented without data loss in certificates).
+ */
++ (NSDate *)startDateWithTimeIntervalSinceNow:(NSTimeInterval)interval
+{
+    __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:interval];
+    // Round down to the nearest second, since the certificate bits will do that
+    // when they compute validity dates.
+    NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]);
+    return [NSDate dateWithTimeIntervalSinceReferenceDate:seconds];
+}
 
 - (void)testGenerateRootCert
 {
@@ -50,11 +63,7 @@ - (void)testGenerateRootCertWithValidityPeriod
     __auto_type * testKeys = [[MTRTestKeys alloc] init];
     XCTAssertNotNil(testKeys);
 
-    __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:100];
-    // Round down to the nearest second, since the certificate bits will do that
-    // when it computes validity dates.
-    NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]);
-    startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds];
+    __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:100];
     __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate duration:200];
 
     __auto_type * rootCert = [MTRCertificates createRootCertificate:testKeys
@@ -83,11 +92,7 @@ - (void)testGenerateRootCertWithInfiniteValidity
     __auto_type * testKeys = [[MTRTestKeys alloc] init];
     XCTAssertNotNil(testKeys);
 
-    __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:100];
-    // Round down to the nearest second, since the certificate bits will do that
-    // when it computes validity dates.
-    NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]);
-    startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds];
+    __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:100];
     __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate endDate:[NSDate distantFuture]];
 
     __auto_type * rootCert = [MTRCertificates createRootCertificate:testKeys
@@ -151,11 +156,7 @@ - (void)testGenerateIntermediateCertWithValidityPeriod
     __auto_type * intermediateKeys = [[MTRTestKeys alloc] init];
     XCTAssertNotNil(intermediateKeys);
 
-    __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:300];
-    // Round down to the nearest second, since the certificate bits will do that
-    // when it computes validity dates.
-    NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]);
-    startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds];
+    __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:300];
     __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate duration:400];
 
     __auto_type * intermediateCert = [MTRCertificates createIntermediateCertificate:rootKeys
@@ -192,11 +193,7 @@ - (void)testGenerateIntermediateCertWithInfiniteValidity
     __auto_type * intermediateKeys = [[MTRTestKeys alloc] init];
     XCTAssertNotNil(intermediateKeys);
 
-    __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:300];
-    // Round down to the nearest second, since the certificate bits will do that
-    // when it computes validity dates.
-    NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]);
-    startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds];
+    __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:300];
     __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate endDate:[NSDate distantFuture]];
 
     __auto_type * intermediateCert = [MTRCertificates createIntermediateCertificate:rootKeys
@@ -275,11 +272,7 @@ - (void)testGenerateOperationalCertNoIntermediateWithValidityPeriod
     [cats addObject:@0x00020001];
     [cats addObject:@0x0003FFFF];
 
-    __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:1000];
-    // Round down to the nearest second, since the certificate bits will do that
-    // when it computes validity dates.
-    NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]);
-    startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds];
+    __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:1000];
     __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate duration:500];
 
     __auto_type * operationalCert = [MTRCertificates createOperationalCertificate:rootKeys
@@ -323,11 +316,7 @@ - (void)testGenerateOperationalCertNoIntermediateWithInfiniteValidity
     [cats addObject:@0x00020001];
     [cats addObject:@0x0003FFFF];
 
-    __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:1000];
-    // Round down to the nearest second, since the certificate bits will do that
-    // when it computes validity dates.
-    NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]);
-    startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds];
+    __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:1000];
     __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate endDate:[NSDate distantFuture]];
 
     __auto_type * operationalCert = [MTRCertificates createOperationalCertificate:rootKeys