From 25cfd8df7c381bb711d98cffb39cda21ecad830d Mon Sep 17 00:00:00 2001
From: Evgeny Margolis <emargolis@google.com>
Date: Fri, 8 Apr 2022 20:08:38 -0700
Subject: [PATCH] Re-Enable Certificate Validity Time Checks (#17225)

---
 src/crypto/CHIPCryptoPALOpenSSL.cpp | 11 +++++------
 src/crypto/CHIPCryptoPALmbedTLS.cpp |  5 ++---
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/crypto/CHIPCryptoPALOpenSSL.cpp b/src/crypto/CHIPCryptoPALOpenSSL.cpp
index d73bcc0684cf10..699eb7682efac6 100644
--- a/src/crypto/CHIPCryptoPALOpenSSL.cpp
+++ b/src/crypto/CHIPCryptoPALOpenSSL.cpp
@@ -1737,7 +1737,7 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & referenceCertificate, c
     ASN1_TIME * refNotBeforeTime                    = nullptr;
     ASN1_TIME * tbeNotBeforeTime                    = nullptr;
     ASN1_TIME * tbeNotAfterTime                     = nullptr;
-    // int result                                      = 0;
+    int result                                      = 0;
 
     VerifyOrReturnError(!referenceCertificate.empty() && !toBeEvaluatedCertificate.empty(), CHIP_ERROR_INVALID_ARGUMENT);
 
@@ -1753,14 +1753,13 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & referenceCertificate, c
     tbeNotAfterTime  = X509_get_notAfter(x509toBeEvaluatedCertificate);
     VerifyOrExit(refNotBeforeTime && tbeNotBeforeTime && tbeNotAfterTime, error = CHIP_ERROR_INTERNAL);
 
-    // TODO: Handle PAA/PAI re-issue and enable below time validations
-    // result = ASN1_TIME_compare(refNotBeforeTime, tbeNotBeforeTime);
+    result = ASN1_TIME_compare(refNotBeforeTime, tbeNotBeforeTime);
     // check if referenceCertificate is issued at or after tbeCertificate's notBefore timestamp
-    // VerifyOrExit(result >= 0, error = CHIP_ERROR_CERT_EXPIRED);
+    VerifyOrExit(result >= 0, error = CHIP_ERROR_CERT_EXPIRED);
 
-    // result = ASN1_TIME_compare(refNotBeforeTime, tbeNotAfterTime);
+    result = ASN1_TIME_compare(refNotBeforeTime, tbeNotAfterTime);
     // check if referenceCertificate is issued at or before tbeCertificate's notAfter timestamp
-    // VerifyOrExit(result <= 0, error = CHIP_ERROR_CERT_EXPIRED);
+    VerifyOrExit(result <= 0, error = CHIP_ERROR_CERT_EXPIRED);
 
 exit:
     X509_free(x509ReferenceCertificate);
diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp
index f99a3660c4b798..d8a52bc2e47a40 100644
--- a/src/crypto/CHIPCryptoPALmbedTLS.cpp
+++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp
@@ -1403,12 +1403,11 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & referenceCertificate, c
     tbeNotBeforeTime = mbedToBeEvaluatedCertificate.CHIP_CRYPTO_PAL_PRIVATE_X509(valid_from);
     tbeNotAfterTime  = mbedToBeEvaluatedCertificate.CHIP_CRYPTO_PAL_PRIVATE_X509(valid_to);
 
-    // TODO: Handle PAA/PAI re-issue and enable below time validation
     // check if referenceCertificate is issued at or after tbeCertificate's notBefore timestamp
-    // VerifyOrExit(IsTimeGreaterThanEqual(&refNotBeforeTime, &tbeNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
+    VerifyOrExit(IsTimeGreaterThanEqual(&refNotBeforeTime, &tbeNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
 
     // check if referenceCertificate is issued at or before tbeCertificate's notAfter timestamp
-    // VerifyOrExit(IsTimeGreaterThanEqual(&tbeNotAfterTime, &refNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
+    VerifyOrExit(IsTimeGreaterThanEqual(&tbeNotAfterTime, &refNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
 
 exit:
     _log_mbedTLS_error(result);