Skip to content

Commit

Permalink
Re-Enable Certificate Validity Time Checks (#17225)
Browse files Browse the repository at this point in the history
  • Loading branch information
emargolis authored Apr 9, 2022
1 parent fa5561c commit 25cfd8d
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 9 deletions.
11 changes: 5 additions & 6 deletions src/crypto/CHIPCryptoPALOpenSSL.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1737,7 +1737,7 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & referenceCertificate, c
ASN1_TIME * refNotBeforeTime = nullptr;
ASN1_TIME * tbeNotBeforeTime = nullptr;
ASN1_TIME * tbeNotAfterTime = nullptr;
// int result = 0;
int result = 0;

VerifyOrReturnError(!referenceCertificate.empty() && !toBeEvaluatedCertificate.empty(), CHIP_ERROR_INVALID_ARGUMENT);

Expand All @@ -1753,14 +1753,13 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & referenceCertificate, c
tbeNotAfterTime = X509_get_notAfter(x509toBeEvaluatedCertificate);
VerifyOrExit(refNotBeforeTime && tbeNotBeforeTime && tbeNotAfterTime, error = CHIP_ERROR_INTERNAL);

// TODO: Handle PAA/PAI re-issue and enable below time validations
// result = ASN1_TIME_compare(refNotBeforeTime, tbeNotBeforeTime);
result = ASN1_TIME_compare(refNotBeforeTime, tbeNotBeforeTime);
// check if referenceCertificate is issued at or after tbeCertificate's notBefore timestamp
// VerifyOrExit(result >= 0, error = CHIP_ERROR_CERT_EXPIRED);
VerifyOrExit(result >= 0, error = CHIP_ERROR_CERT_EXPIRED);

// result = ASN1_TIME_compare(refNotBeforeTime, tbeNotAfterTime);
result = ASN1_TIME_compare(refNotBeforeTime, tbeNotAfterTime);
// check if referenceCertificate is issued at or before tbeCertificate's notAfter timestamp
// VerifyOrExit(result <= 0, error = CHIP_ERROR_CERT_EXPIRED);
VerifyOrExit(result <= 0, error = CHIP_ERROR_CERT_EXPIRED);

exit:
X509_free(x509ReferenceCertificate);
Expand Down
5 changes: 2 additions & 3 deletions src/crypto/CHIPCryptoPALmbedTLS.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1403,12 +1403,11 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & referenceCertificate, c
tbeNotBeforeTime = mbedToBeEvaluatedCertificate.CHIP_CRYPTO_PAL_PRIVATE_X509(valid_from);
tbeNotAfterTime = mbedToBeEvaluatedCertificate.CHIP_CRYPTO_PAL_PRIVATE_X509(valid_to);

// TODO: Handle PAA/PAI re-issue and enable below time validation
// check if referenceCertificate is issued at or after tbeCertificate's notBefore timestamp
// VerifyOrExit(IsTimeGreaterThanEqual(&refNotBeforeTime, &tbeNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
VerifyOrExit(IsTimeGreaterThanEqual(&refNotBeforeTime, &tbeNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);

// check if referenceCertificate is issued at or before tbeCertificate's notAfter timestamp
// VerifyOrExit(IsTimeGreaterThanEqual(&tbeNotAfterTime, &refNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
VerifyOrExit(IsTimeGreaterThanEqual(&tbeNotAfterTime, &refNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);

exit:
_log_mbedTLS_error(result);
Expand Down

0 comments on commit 25cfd8d

Please sign in to comment.