From 05623af027f550f00abb480d10db188d358f5bf6 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Mon, 8 May 2023 14:19:37 -0400 Subject: [PATCH] Address review comments. --- src/darwin/Framework/CHIP/MTRCertificates.h | 14 +++-- src/darwin/Framework/CHIP/MTRCertificates.mm | 15 +++--- .../CHIP/MTROperationalCredentialsDelegate.h | 2 +- .../CHIP/MTROperationalCredentialsDelegate.mm | 2 +- .../Framework/CHIPTests/MTRCertificateTests.m | 53 ++++++++----------- 5 files changed, 43 insertions(+), 43 deletions(-) diff --git a/src/darwin/Framework/CHIP/MTRCertificates.h b/src/darwin/Framework/CHIP/MTRCertificates.h index 1c333697436db4..9b804dd05339de 100644 --- a/src/darwin/Framework/CHIP/MTRCertificates.h +++ b/src/darwin/Framework/CHIP/MTRCertificates.h @@ -44,7 +44,11 @@ NS_ASSUME_NONNULL_BEGIN * If fabricID is not nil, it will be included in the subject DN of the * certificate. In this case it must be a valid Matter fabric id. * - * validityPeriod specifies when the certificate will be valid. + * validityPeriod specifies when the certificate will be valid. Note that + * there is currently no mechanism available in Matter to update or rotate + * the root certificate of a fabric installed on a device. A certificate with + * no expiration time can be created by specifying [NSDate distantFuture] for + * the end of the period. * * On failure returns nil and if "error" is not null sets *error to the relevant * error. @@ -79,7 +83,9 @@ NS_ASSUME_NONNULL_BEGIN * If fabricID is not nil, it will be included in the subject DN of the * certificate. In this case it must be a valid Matter fabric id. * - * validityPeriod specifies when the certificate will be valid. + * validityPeriod specifies when the certificate will be valid. A certificate + * with no expiration time can be created by specifying [NSDate distantFuture] + * for the end of the period. * * On failure returns nil and if "error" is not null sets *error to the relevant * error. @@ -123,7 +129,9 @@ NS_ASSUME_NONNULL_BEGIN * 3 numbers, which are expected to be 32-bit unsigned Case Authenticated Tag * values. * - * validityPeriod specifies when the certificate will be valid. + * validityPeriod specifies when the certificate will be valid. A certificate + * with no expiration time can be created by specifying [NSDate distantFuture] + * for the end of the period. * * On failure returns nil and if "error" is not null sets *error to the relevant * error. diff --git a/src/darwin/Framework/CHIP/MTRCertificates.mm b/src/darwin/Framework/CHIP/MTRCertificates.mm index 8cdb060f9ac9d0..149f1c58b3a6e2 100644 --- a/src/darwin/Framework/CHIP/MTRCertificates.mm +++ b/src/darwin/Framework/CHIP/MTRCertificates.mm @@ -62,8 +62,9 @@ + (MTRCertificateDERBytes _Nullable)createRootCertificate:(id)keypai fabricID:(NSNumber * _Nullable)fabricID error:(NSError * __autoreleasing *)error { - auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] - duration:MTROperationalCredentialsDelegate::kCertificateValiditySecs]; + auto * validityPeriod = + [[NSDateInterval alloc] initWithStartDate:[NSDate now] + duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs]; return [self createRootCertificate:keypair issuerID:issuerID fabricID:fabricID validityPeriod:validityPeriod error:error]; } @@ -97,8 +98,9 @@ + (MTRCertificateDERBytes _Nullable)createIntermediateCertificate:(id caseAuthenticatedTags:(NSSet * _Nullable)caseAuthenticatedTags error:(NSError * __autoreleasing _Nullable * _Nullable)error { - auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] - duration:MTROperationalCredentialsDelegate::kCertificateValiditySecs]; + auto * validityPeriod = + [[NSDateInterval alloc] initWithStartDate:[NSDate now] + duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs]; return [self createOperationalCertificate:signingKeypair signingCertificate:signingCertificate operationalPublicKey:operationalPublicKey diff --git a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h index 4e7ed74cbe8cae..8a5ec3bdbd9fd4 100644 --- a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h +++ b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h @@ -112,7 +112,7 @@ class MTROperationalCredentialsDelegate : public chip::Controller::OperationalCr NSDateInterval * validityPeriod, NSData * _Nullable __autoreleasing * _Nonnull operationalCert); // 10 years. - static const uint32_t kCertificateValiditySecs = 10 * 365 * 24 * 60 * 60; + static const uint32_t kCertificateDefaultValiditySecs = 10 * 365 * 24 * 60 * 60; private: // notAfter times can represent "forever". diff --git a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm index bbae67a39d5a62..67dda223e787fd 100644 --- a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm +++ b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm @@ -89,7 +89,7 @@ return CHIP_ERROR_INCORRECT_STATE; } - auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] duration:kCertificateValiditySecs]; + auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] duration:kCertificateDefaultValiditySecs]; return GenerateNOC(*mIssuerKey, (mIntermediateCert != nil) ? mIntermediateCert : mRootCert, nodeId, fabricId, cats, pubkey, validityPeriod, noc); } diff --git a/src/darwin/Framework/CHIPTests/MTRCertificateTests.m b/src/darwin/Framework/CHIPTests/MTRCertificateTests.m index 307f427a62aef9..89860b8df2f997 100644 --- a/src/darwin/Framework/CHIPTests/MTRCertificateTests.m +++ b/src/darwin/Framework/CHIPTests/MTRCertificateTests.m @@ -21,11 +21,24 @@ #import "MTRTestKeys.h" -@interface MatterCertificateTests : XCTestCase +@interface MTRCertificateTests : XCTestCase @end -@implementation MatterCertificateTests +@implementation MTRCertificateTests + +/** + * Helper function for creating start dates rounded to the nearest second (and + * which can therefore be represented without data loss in certificates). + */ ++ (NSDate *)startDateWithTimeIntervalSinceNow:(NSTimeInterval)interval +{ + __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:interval]; + // Round down to the nearest second, since the certificate bits will do that + // when they compute validity dates. + NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]); + return [NSDate dateWithTimeIntervalSinceReferenceDate:seconds]; +} - (void)testGenerateRootCert { @@ -50,11 +63,7 @@ - (void)testGenerateRootCertWithValidityPeriod __auto_type * testKeys = [[MTRTestKeys alloc] init]; XCTAssertNotNil(testKeys); - __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:100]; - // Round down to the nearest second, since the certificate bits will do that - // when it computes validity dates. - NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]); - startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds]; + __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:100]; __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate duration:200]; __auto_type * rootCert = [MTRCertificates createRootCertificate:testKeys @@ -83,11 +92,7 @@ - (void)testGenerateRootCertWithInfiniteValidity __auto_type * testKeys = [[MTRTestKeys alloc] init]; XCTAssertNotNil(testKeys); - __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:100]; - // Round down to the nearest second, since the certificate bits will do that - // when it computes validity dates. - NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]); - startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds]; + __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:100]; __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate endDate:[NSDate distantFuture]]; __auto_type * rootCert = [MTRCertificates createRootCertificate:testKeys @@ -151,11 +156,7 @@ - (void)testGenerateIntermediateCertWithValidityPeriod __auto_type * intermediateKeys = [[MTRTestKeys alloc] init]; XCTAssertNotNil(intermediateKeys); - __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:300]; - // Round down to the nearest second, since the certificate bits will do that - // when it computes validity dates. - NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]); - startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds]; + __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:300]; __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate duration:400]; __auto_type * intermediateCert = [MTRCertificates createIntermediateCertificate:rootKeys @@ -192,11 +193,7 @@ - (void)testGenerateIntermediateCertWithInfiniteValidity __auto_type * intermediateKeys = [[MTRTestKeys alloc] init]; XCTAssertNotNil(intermediateKeys); - __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:300]; - // Round down to the nearest second, since the certificate bits will do that - // when it computes validity dates. - NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]); - startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds]; + __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:300]; __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate endDate:[NSDate distantFuture]]; __auto_type * intermediateCert = [MTRCertificates createIntermediateCertificate:rootKeys @@ -275,11 +272,7 @@ - (void)testGenerateOperationalCertNoIntermediateWithValidityPeriod [cats addObject:@0x00020001]; [cats addObject:@0x0003FFFF]; - __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:1000]; - // Round down to the nearest second, since the certificate bits will do that - // when it computes validity dates. - NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]); - startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds]; + __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:1000]; __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate duration:500]; __auto_type * operationalCert = [MTRCertificates createOperationalCertificate:rootKeys @@ -323,11 +316,7 @@ - (void)testGenerateOperationalCertNoIntermediateWithInfiniteValidity [cats addObject:@0x00020001]; [cats addObject:@0x0003FFFF]; - __auto_type * startDate = [NSDate dateWithTimeIntervalSinceNow:1000]; - // Round down to the nearest second, since the certificate bits will do that - // when it computes validity dates. - NSTimeInterval seconds = floor([startDate timeIntervalSinceReferenceDate]); - startDate = [NSDate dateWithTimeIntervalSinceReferenceDate:seconds]; + __auto_type * startDate = [MTRCertificateTests startDateWithTimeIntervalSinceNow:1000]; __auto_type * validityPeriod = [[NSDateInterval alloc] initWithStartDate:startDate endDate:[NSDate distantFuture]]; __auto_type * operationalCert = [MTRCertificates createOperationalCertificate:rootKeys