Skip to content

Commit

Permalink
Move the "ignore certificate validity dates" policy out of Server.h. (#…
Browse files Browse the repository at this point in the history
…26519)

This makes it easier to use for clients that don't have reliable wall-clock
time.
  • Loading branch information
bzbarsky-apple authored and pull[bot] committed Mar 8, 2024
1 parent bd2869f commit 2555714
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 39 deletions.
2 changes: 1 addition & 1 deletion examples/platform/nxp/se05x/linux/AppMain.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ struct CommonCaseDeviceServerInitParams_Se05x : public CommonCaseDeviceServerIni
static chip::PersistentStorageOperationalKeystoreHSM sPersistentStorageOperationalKeystore;
static chip::Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
static chip::Credentials::GroupDataProviderImpl sGroupDataProvider;
static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy;
static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;
static chip::Crypto::DefaultSessionKeystore sSessionKeystore;

#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
Expand Down
2 changes: 1 addition & 1 deletion src/app/server/Server.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -535,7 +535,7 @@ KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStor
PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
IgnoreCertificateValidityPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;
Credentials::IgnoreCertificateValidityPeriodPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;
#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
SimpleSessionResumptionStorage CommonCaseDeviceServerInitParams::sSessionResumptionStorage;
#endif
Expand Down
38 changes: 1 addition & 37 deletions src/app/server/Server.h
Original file line number Diff line number Diff line change
Expand Up @@ -137,42 +137,6 @@ struct ServerInitParams
Credentials::OperationalCertificateStore * opCertStore = nullptr;
};

class IgnoreCertificateValidityPolicy : public Credentials::CertificateValidityPolicy
{
public:
IgnoreCertificateValidityPolicy() {}

/**
* @brief
*
* This certificate validity policy does not validate NotBefore or
* NotAfter to accommodate platforms that may have wall clock time, but
* where it is unreliable.
*
* Last Known Good Time is also not considered in this policy.
*
* @param cert CHIP Certificate for which we are evaluating validity
* @param depth the depth of the certificate in the chain, where the leaf is at depth 0
* @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
*/
CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth,
Credentials::CertificateValidityResult result) override
{
switch (result)
{
case Credentials::CertificateValidityResult::kValid:
case Credentials::CertificateValidityResult::kNotYetValid:
case Credentials::CertificateValidityResult::kExpired:
case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime:
case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
case Credentials::CertificateValidityResult::kTimeUnknown:
return CHIP_NO_ERROR;
default:
return CHIP_ERROR_INVALID_ARGUMENT;
}
}
};

/**
* Transitional version of ServerInitParams to assist SDK integrators in
* transitioning to injecting product/platform-owned resources. This version
Expand Down Expand Up @@ -289,7 +253,7 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
static Credentials::GroupDataProviderImpl sGroupDataProvider;
static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy;
static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;
#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
static SimpleSessionResumptionStorage sSessionResumptionStorage;
#endif
Expand Down
34 changes: 34 additions & 0 deletions src/credentials/CertificateValidityPolicy.h
Original file line number Diff line number Diff line change
Expand Up @@ -60,5 +60,39 @@ class CertificateValidityPolicy
static CHIP_ERROR ApplyDefaultPolicy(const ChipCertificateData * cert, uint8_t depth, CertificateValidityResult result);
};

class IgnoreCertificateValidityPeriodPolicy : public CertificateValidityPolicy
{
public:
IgnoreCertificateValidityPeriodPolicy() {}

/**
* This certificate validity policy does not validate NotBefore or
* NotAfter to accommodate platforms that may have wall clock time, but
* where it is unreliable.
*
* Last Known Good Time is also not considered in this policy.
*
* @param cert CHIP Certificate for which we are evaluating validity
* @param depth the depth of the certificate in the chain, where the leaf is at depth 0
* @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
*/
CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth,
Credentials::CertificateValidityResult result) override
{
switch (result)
{
case Credentials::CertificateValidityResult::kValid:
case Credentials::CertificateValidityResult::kNotYetValid:
case Credentials::CertificateValidityResult::kExpired:
case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime:
case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
case Credentials::CertificateValidityResult::kTimeUnknown:
return CHIP_NO_ERROR;
default:
return CHIP_ERROR_INVALID_ARGUMENT;
}
}
};

} // namespace Credentials
} // namespace chip

0 comments on commit 2555714

Please sign in to comment.