From 25557141dfae26ffbd3934adc050f292ccb8470f Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@apple.com>
Date: Thu, 11 May 2023 19:57:17 -0400
Subject: [PATCH] Move the "ignore certificate validity dates" policy out of
 Server.h. (#26519)

This makes it easier to use for clients that don't have reliable wall-clock
time.
---
 examples/platform/nxp/se05x/linux/AppMain.cpp |  2 +-
 src/app/server/Server.cpp                     |  2 +-
 src/app/server/Server.h                       | 38 +------------------
 src/credentials/CertificateValidityPolicy.h   | 34 +++++++++++++++++
 4 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/examples/platform/nxp/se05x/linux/AppMain.cpp b/examples/platform/nxp/se05x/linux/AppMain.cpp
index 2f38e784dd395c..1ecf8052100a54 100644
--- a/examples/platform/nxp/se05x/linux/AppMain.cpp
+++ b/examples/platform/nxp/se05x/linux/AppMain.cpp
@@ -299,7 +299,7 @@ struct CommonCaseDeviceServerInitParams_Se05x : public CommonCaseDeviceServerIni
         static chip::PersistentStorageOperationalKeystoreHSM sPersistentStorageOperationalKeystore;
         static chip::Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
         static chip::Credentials::GroupDataProviderImpl sGroupDataProvider;
-        static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy;
+        static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;
         static chip::Crypto::DefaultSessionKeystore sSessionKeystore;
 
 #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
diff --git a/src/app/server/Server.cpp b/src/app/server/Server.cpp
index 344776c49ac93b..e741b9e34f0122 100644
--- a/src/app/server/Server.cpp
+++ b/src/app/server/Server.cpp
@@ -535,7 +535,7 @@ KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStor
 PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
 Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
 Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
-IgnoreCertificateValidityPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;
+Credentials::IgnoreCertificateValidityPeriodPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;
 #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
 SimpleSessionResumptionStorage CommonCaseDeviceServerInitParams::sSessionResumptionStorage;
 #endif
diff --git a/src/app/server/Server.h b/src/app/server/Server.h
index 380e8240abfed9..0a6bc5c54801f6 100644
--- a/src/app/server/Server.h
+++ b/src/app/server/Server.h
@@ -137,42 +137,6 @@ struct ServerInitParams
     Credentials::OperationalCertificateStore * opCertStore = nullptr;
 };
 
-class IgnoreCertificateValidityPolicy : public Credentials::CertificateValidityPolicy
-{
-public:
-    IgnoreCertificateValidityPolicy() {}
-
-    /**
-     * @brief
-     *
-     * This certificate validity policy does not validate NotBefore or
-     * NotAfter to accommodate platforms that may have wall clock time, but
-     * where it is unreliable.
-     *
-     * Last Known Good Time is also not considered in this policy.
-     *
-     * @param cert CHIP Certificate for which we are evaluating validity
-     * @param depth the depth of the certificate in the chain, where the leaf is at depth 0
-     * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
-     */
-    CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth,
-                                              Credentials::CertificateValidityResult result) override
-    {
-        switch (result)
-        {
-        case Credentials::CertificateValidityResult::kValid:
-        case Credentials::CertificateValidityResult::kNotYetValid:
-        case Credentials::CertificateValidityResult::kExpired:
-        case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime:
-        case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
-        case Credentials::CertificateValidityResult::kTimeUnknown:
-            return CHIP_NO_ERROR;
-        default:
-            return CHIP_ERROR_INVALID_ARGUMENT;
-        }
-    }
-};
-
 /**
  * Transitional version of ServerInitParams to assist SDK integrators in
  * transitioning to injecting product/platform-owned resources. This version
@@ -289,7 +253,7 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
     static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
     static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
     static Credentials::GroupDataProviderImpl sGroupDataProvider;
-    static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy;
+    static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;
 #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
     static SimpleSessionResumptionStorage sSessionResumptionStorage;
 #endif
diff --git a/src/credentials/CertificateValidityPolicy.h b/src/credentials/CertificateValidityPolicy.h
index 121647d1b94226..58552af728a047 100644
--- a/src/credentials/CertificateValidityPolicy.h
+++ b/src/credentials/CertificateValidityPolicy.h
@@ -60,5 +60,39 @@ class CertificateValidityPolicy
     static CHIP_ERROR ApplyDefaultPolicy(const ChipCertificateData * cert, uint8_t depth, CertificateValidityResult result);
 };
 
+class IgnoreCertificateValidityPeriodPolicy : public CertificateValidityPolicy
+{
+public:
+    IgnoreCertificateValidityPeriodPolicy() {}
+
+    /**
+     * This certificate validity policy does not validate NotBefore or
+     * NotAfter to accommodate platforms that may have wall clock time, but
+     * where it is unreliable.
+     *
+     * Last Known Good Time is also not considered in this policy.
+     *
+     * @param cert CHIP Certificate for which we are evaluating validity
+     * @param depth the depth of the certificate in the chain, where the leaf is at depth 0
+     * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
+     */
+    CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth,
+                                              Credentials::CertificateValidityResult result) override
+    {
+        switch (result)
+        {
+        case Credentials::CertificateValidityResult::kValid:
+        case Credentials::CertificateValidityResult::kNotYetValid:
+        case Credentials::CertificateValidityResult::kExpired:
+        case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime:
+        case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
+        case Credentials::CertificateValidityResult::kTimeUnknown:
+            return CHIP_NO_ERROR;
+        default:
+            return CHIP_ERROR_INVALID_ARGUMENT;
+        }
+    }
+};
+
 } // namespace Credentials
 } // namespace chip