From 10853333f552c061cacface35bcf29a1c6527db1 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Mon, 15 May 2023 21:44:56 -0400 Subject: [PATCH] Change Server to not validate certificate expiration by default. (#26530) If an explicit validity policy is injected that validates notBefore/notAfter, we will do that, but if the app author just doesn't think about time-based validation default to not validating, because there's a good chance it will just lead to unexpected failures due to bad clocks and whatnot. --- src/app/server/Server.cpp | 12 ++++++++++-- src/app/server/Server.h | 9 ++++----- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/app/server/Server.cpp b/src/app/server/Server.cpp index e741b9e34f0122..c0d3e108babe65 100644 --- a/src/app/server/Server.cpp +++ b/src/app/server/Server.cpp @@ -128,7 +128,14 @@ CHIP_ERROR Server::Init(const ServerInitParams & initParams) mOperationalKeystore = initParams.operationalKeystore; mOpCertStore = initParams.opCertStore; - mCertificateValidityPolicy.Init(initParams.certificateValidityPolicy); + if (initParams.certificateValidityPolicy) + { + mCertificateValidityPolicy.Init(initParams.certificateValidityPolicy); + } + else + { + mCertificateValidityPolicy.Init(&sDefaultCertValidityPolicy); + } #if defined(CHIP_SUPPORT_ENABLE_STORAGE_API_AUDIT) VerifyOrDie(chip::audit::ExecutePersistentStorageApiAudit(*mDeviceStorage)); @@ -531,11 +538,12 @@ void Server::ResumeSubscriptions() } #endif +Credentials::IgnoreCertificateValidityPeriodPolicy Server::sDefaultCertValidityPolicy; + KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate; PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore; Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore; Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider; -Credentials::IgnoreCertificateValidityPeriodPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy; #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION SimpleSessionResumptionStorage CommonCaseDeviceServerInitParams::sSessionResumptionStorage; #endif diff --git a/src/app/server/Server.h b/src/app/server/Server.h index 0a6bc5c54801f6..eee11b0bc6ff60 100644 --- a/src/app/server/Server.h +++ b/src/app/server/Server.h @@ -233,10 +233,6 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams // Inject ACL storage. (Don't initialize it.) this->aclStorage = &sAclStorage; - // Inject certificate validation policy compatible with non-wall-clock-time-synced - // embedded systems. - this->certificateValidityPolicy = &sDefaultCertValidityPolicy; - #if CHIP_CONFIG_PERSIST_SUBSCRIPTIONS ChipLogProgress(AppServer, "Initializing subscription resumption storage..."); ReturnErrorOnFailure(sSubscriptionResumptionStorage.Init(this->persistentStorageDelegate)); @@ -253,7 +249,6 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore; static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore; static Credentials::GroupDataProviderImpl sGroupDataProvider; - static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy; #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION static SimpleSessionResumptionStorage sSessionResumptionStorage; #endif @@ -554,6 +549,10 @@ class Server Ble::BleLayer * mBleLayer = nullptr; #endif + // By default, use a certificate validation policy compatible with non-wall-clock-time-synced + // embedded systems. + static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy; + ServerTransportMgr mTransports; SessionManager mSessions; CASEServer mCASEServer;