Skip to content

Commit

Permalink
Change Server to not validate certificate expiration by default. (#26530
Browse files Browse the repository at this point in the history
)

If an explicit validity policy is injected that validates notBefore/notAfter, we
will do that, but if the app author just doesn't think about time-based
validation default to not validating, because there's a good chance it will just
lead to unexpected failures due to bad clocks and whatnot.
  • Loading branch information
bzbarsky-apple authored and pull[bot] committed Aug 26, 2023
1 parent 698c0e3 commit 7413188
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 7 deletions.
12 changes: 10 additions & 2 deletions src/app/server/Server.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,14 @@ CHIP_ERROR Server::Init(const ServerInitParams & initParams)
mOperationalKeystore = initParams.operationalKeystore;
mOpCertStore = initParams.opCertStore;

mCertificateValidityPolicy.Init(initParams.certificateValidityPolicy);
if (initParams.certificateValidityPolicy)
{
mCertificateValidityPolicy.Init(initParams.certificateValidityPolicy);
}
else
{
mCertificateValidityPolicy.Init(&sDefaultCertValidityPolicy);
}

#if defined(CHIP_SUPPORT_ENABLE_STORAGE_API_AUDIT)
VerifyOrDie(chip::audit::ExecutePersistentStorageApiAudit(*mDeviceStorage));
Expand Down Expand Up @@ -531,11 +538,12 @@ void Server::ResumeSubscriptions()
}
#endif

Credentials::IgnoreCertificateValidityPeriodPolicy Server::sDefaultCertValidityPolicy;

KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate;
PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
Credentials::IgnoreCertificateValidityPeriodPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;
#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
SimpleSessionResumptionStorage CommonCaseDeviceServerInitParams::sSessionResumptionStorage;
#endif
Expand Down
9 changes: 4 additions & 5 deletions src/app/server/Server.h
Original file line number Diff line number Diff line change
Expand Up @@ -233,10 +233,6 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
// Inject ACL storage. (Don't initialize it.)
this->aclStorage = &sAclStorage;

// Inject certificate validation policy compatible with non-wall-clock-time-synced
// embedded systems.
this->certificateValidityPolicy = &sDefaultCertValidityPolicy;

#if CHIP_CONFIG_PERSIST_SUBSCRIPTIONS
ChipLogProgress(AppServer, "Initializing subscription resumption storage...");
ReturnErrorOnFailure(sSubscriptionResumptionStorage.Init(this->persistentStorageDelegate));
Expand All @@ -253,7 +249,6 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
static Credentials::GroupDataProviderImpl sGroupDataProvider;
static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;
#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
static SimpleSessionResumptionStorage sSessionResumptionStorage;
#endif
Expand Down Expand Up @@ -554,6 +549,10 @@ class Server
Ble::BleLayer * mBleLayer = nullptr;
#endif

// By default, use a certificate validation policy compatible with non-wall-clock-time-synced
// embedded systems.
static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;

ServerTransportMgr mTransports;
SessionManager mSessions;
CASEServer mCASEServer;
Expand Down

0 comments on commit 7413188

Please sign in to comment.