Fix generation of certificates without an expiration date.

Since Matter encodes "no expiration" as 0, we can't just check that notAfter >= notBefore; we have to check for the case when notAfter is "no expiration" separately.
project-chip · May 6, 2023 · 254b2ec · 254b2ec
1 parent de1c64a
commit 254b2ec
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp
@@ -1142,7 +1142,7 @@ DLL_EXPORT CHIP_ERROR ChipEpochToASN1Time(uint32_t epochTime, chip::ASN1::ASN1Un
     // times, which in consuming code can create a conversion from CHIP epoch 0 seconds to 99991231235959Z
     // for NotBefore, which is not conventional.
     //
-    // If an original X509 certificate encloses a NotBefore time that this the CHIP Epoch itself, 2000-01-01
+    // If an original X509 certificate encloses a NotBefore time that is the CHIP Epoch itself, 2000-01-01
     // 00:00:00, the resultant X509 certificate in a conversion back from CHIP TLV format using this time
     // conversion method will instead enclose the NotBefore time 99991231235959Z, which will invalidiate the
     // TBS signature.  Thus, certificates with this specific attribute are not usable with this code.

diff --git a/src/credentials/GenerateChipX509Cert.cpp b/src/credentials/GenerateChipX509Cert.cpp
@@ -330,7 +330,8 @@ CHIP_ERROR EncodeTBSCert(const X509CertRequestParams & requestParams, const Cryp
     bool isCA;
 
     VerifyOrReturnError(requestParams.SerialNumber >= 0, CHIP_ERROR_INVALID_ARGUMENT);
-    VerifyOrReturnError(requestParams.ValidityEnd >= requestParams.ValidityStart, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(requestParams.ValidityEnd == kNullCertTime || requestParams.ValidityEnd >= requestParams.ValidityStart,
+                        CHIP_ERROR_INVALID_ARGUMENT);
 
     ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType));
     isCA = (certType == kCertType_ICA || certType == kCertType_Root);