From 1462628a6d18af84deae44205295af47dc22bf04 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Thu, 11 May 2023 19:58:02 -0400 Subject: [PATCH] Change Matter.framework to not put expiration time on certs by default. (#26520) --- src/darwin/Framework/CHIP/MTRCertificates.h | 15 ++++++--------- src/darwin/Framework/CHIP/MTRCertificates.mm | 12 +++--------- .../CHIP/MTROperationalCredentialsDelegate.h | 3 --- .../CHIP/MTROperationalCredentialsDelegate.mm | 2 +- 4 files changed, 10 insertions(+), 22 deletions(-) diff --git a/src/darwin/Framework/CHIP/MTRCertificates.h b/src/darwin/Framework/CHIP/MTRCertificates.h index 9b804dd05339de..e74d3de729ce4b 100644 --- a/src/darwin/Framework/CHIP/MTRCertificates.h +++ b/src/darwin/Framework/CHIP/MTRCertificates.h @@ -61,14 +61,13 @@ NS_ASSUME_NONNULL_BEGIN MTR_NEWLY_AVAILABLE; /** - * As above, but defaults to a 10-year validity period starting now. + * As above, but defaults to no expiration time. */ + (MTRCertificateDERBytes _Nullable)createRootCertificate:(id)keypair issuerID:(NSNumber * _Nullable)issuerID fabricID:(NSNumber * _Nullable)fabricID error:(NSError * __autoreleasing _Nullable * _Nullable)error - API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4)) - MTR_NEWLY_DEPRECATED("Please use the version that specifies an explicit validity period"); + API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4)); /** * Create an intermediate X.509 DER encoded certificate that has the @@ -100,7 +99,7 @@ NS_ASSUME_NONNULL_BEGIN MTR_NEWLY_AVAILABLE; /** - * As above, but defaults to a 10-year validity period starting now. + * As above, but defaults to no expiration time. */ + (MTRCertificateDERBytes _Nullable)createIntermediateCertificate:(id)rootKeypair rootCertificate:(MTRCertificateDERBytes)rootCertificate @@ -108,8 +107,7 @@ NS_ASSUME_NONNULL_BEGIN issuerID:(NSNumber * _Nullable)issuerID fabricID:(NSNumber * _Nullable)fabricID error:(NSError * __autoreleasing _Nullable * _Nullable)error - API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4)) - MTR_NEWLY_DEPRECATED("Please use the version that specifies an explicit validity period"); + API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4)); /** * Create an X.509 DER encoded certificate that has the @@ -147,7 +145,7 @@ NS_ASSUME_NONNULL_BEGIN MTR_NEWLY_AVAILABLE; /** - * As above, but defaults to a 10-year validity period starting now. + * As above, but defaults to no expiration time. */ + (MTRCertificateDERBytes _Nullable)createOperationalCertificate:(id)signingKeypair signingCertificate:(MTRCertificateDERBytes)signingCertificate @@ -156,8 +154,7 @@ NS_ASSUME_NONNULL_BEGIN nodeID:(NSNumber *)nodeID caseAuthenticatedTags:(NSSet * _Nullable)caseAuthenticatedTags error:(NSError * __autoreleasing _Nullable * _Nullable)error - API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4)) - MTR_NEWLY_DEPRECATED("Please use the version that specifies an explicit validity period"); + API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4)); /** * Check whether the given keypair's public key matches the given certificate's diff --git a/src/darwin/Framework/CHIP/MTRCertificates.mm b/src/darwin/Framework/CHIP/MTRCertificates.mm index 149f1c58b3a6e2..e2967faba8cac2 100644 --- a/src/darwin/Framework/CHIP/MTRCertificates.mm +++ b/src/darwin/Framework/CHIP/MTRCertificates.mm @@ -62,9 +62,7 @@ + (MTRCertificateDERBytes _Nullable)createRootCertificate:(id)keypai fabricID:(NSNumber * _Nullable)fabricID error:(NSError * __autoreleasing *)error { - auto * validityPeriod = - [[NSDateInterval alloc] initWithStartDate:[NSDate now] - duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs]; + auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] endDate:[NSDate distantFuture]]; return [self createRootCertificate:keypair issuerID:issuerID fabricID:fabricID validityPeriod:validityPeriod error:error]; } @@ -98,9 +96,7 @@ + (MTRCertificateDERBytes _Nullable)createIntermediateCertificate:(id caseAuthenticatedTags:(NSSet * _Nullable)caseAuthenticatedTags error:(NSError * __autoreleasing _Nullable * _Nullable)error { - auto * validityPeriod = - [[NSDateInterval alloc] initWithStartDate:[NSDate now] - duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs]; + auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] endDate:[NSDate distantFuture]]; return [self createOperationalCertificate:signingKeypair signingCertificate:signingCertificate operationalPublicKey:operationalPublicKey diff --git a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h index 8a5ec3bdbd9fd4..b3dfd2419186f4 100644 --- a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h +++ b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h @@ -111,9 +111,6 @@ class MTROperationalCredentialsDelegate : public chip::Controller::OperationalCr SecKeyRef operationalPublicKey, NSNumber * fabricId, NSNumber * nodeId, NSSet * _Nullable caseAuthenticatedTags, NSDateInterval * validityPeriod, NSData * _Nullable __autoreleasing * _Nonnull operationalCert); - // 10 years. - static const uint32_t kCertificateDefaultValiditySecs = 10 * 365 * 24 * 60 * 60; - private: // notAfter times can represent "forever". static bool ToChipNotAfterEpochTime(NSDate * date, uint32_t & epoch); diff --git a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm index 79af08e9bfe029..887fd20dba9e1f 100644 --- a/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm +++ b/src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.mm @@ -89,7 +89,7 @@ return CHIP_ERROR_INCORRECT_STATE; } - auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] duration:kCertificateDefaultValiditySecs]; + auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] endDate:[NSDate distantFuture]]; return GenerateNOC(*mIssuerKey, (mIntermediateCert != nil) ? mIntermediateCert : mRootCert, nodeId, fabricId, cats, pubkey, validityPeriod, noc); }