From b6f24010c29ff93ca27e53c03393416d47f9a197 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Thu, 11 May 2023 14:43:20 -0400 Subject: [PATCH] Move the "ignore certificate validity dates" policy out of Server.h. This makes it easier to use for clients that don't have reliable wall-clock time. --- examples/platform/nxp/se05x/linux/AppMain.cpp | 2 +- src/app/server/Server.cpp | 2 +- src/app/server/Server.h | 38 +------------------ src/credentials/CertificateValidityPolicy.h | 36 ++++++++++++++++++ 4 files changed, 39 insertions(+), 39 deletions(-) diff --git a/examples/platform/nxp/se05x/linux/AppMain.cpp b/examples/platform/nxp/se05x/linux/AppMain.cpp index 2f38e784dd395c..1ecf8052100a54 100644 --- a/examples/platform/nxp/se05x/linux/AppMain.cpp +++ b/examples/platform/nxp/se05x/linux/AppMain.cpp @@ -299,7 +299,7 @@ struct CommonCaseDeviceServerInitParams_Se05x : public CommonCaseDeviceServerIni static chip::PersistentStorageOperationalKeystoreHSM sPersistentStorageOperationalKeystore; static chip::Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore; static chip::Credentials::GroupDataProviderImpl sGroupDataProvider; - static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy; + static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy; static chip::Crypto::DefaultSessionKeystore sSessionKeystore; #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION diff --git a/src/app/server/Server.cpp b/src/app/server/Server.cpp index 344776c49ac93b..e741b9e34f0122 100644 --- a/src/app/server/Server.cpp +++ b/src/app/server/Server.cpp @@ -535,7 +535,7 @@ KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStor PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore; Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore; Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider; -IgnoreCertificateValidityPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy; +Credentials::IgnoreCertificateValidityPeriodPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy; #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION SimpleSessionResumptionStorage CommonCaseDeviceServerInitParams::sSessionResumptionStorage; #endif diff --git a/src/app/server/Server.h b/src/app/server/Server.h index 380e8240abfed9..0a6bc5c54801f6 100644 --- a/src/app/server/Server.h +++ b/src/app/server/Server.h @@ -137,42 +137,6 @@ struct ServerInitParams Credentials::OperationalCertificateStore * opCertStore = nullptr; }; -class IgnoreCertificateValidityPolicy : public Credentials::CertificateValidityPolicy -{ -public: - IgnoreCertificateValidityPolicy() {} - - /** - * @brief - * - * This certificate validity policy does not validate NotBefore or - * NotAfter to accommodate platforms that may have wall clock time, but - * where it is unreliable. - * - * Last Known Good Time is also not considered in this policy. - * - * @param cert CHIP Certificate for which we are evaluating validity - * @param depth the depth of the certificate in the chain, where the leaf is at depth 0 - * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected - */ - CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth, - Credentials::CertificateValidityResult result) override - { - switch (result) - { - case Credentials::CertificateValidityResult::kValid: - case Credentials::CertificateValidityResult::kNotYetValid: - case Credentials::CertificateValidityResult::kExpired: - case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime: - case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime: - case Credentials::CertificateValidityResult::kTimeUnknown: - return CHIP_NO_ERROR; - default: - return CHIP_ERROR_INVALID_ARGUMENT; - } - } -}; - /** * Transitional version of ServerInitParams to assist SDK integrators in * transitioning to injecting product/platform-owned resources. This version @@ -289,7 +253,7 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore; static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore; static Credentials::GroupDataProviderImpl sGroupDataProvider; - static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy; + static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy; #if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION static SimpleSessionResumptionStorage sSessionResumptionStorage; #endif diff --git a/src/credentials/CertificateValidityPolicy.h b/src/credentials/CertificateValidityPolicy.h index 121647d1b94226..3245595947c9eb 100644 --- a/src/credentials/CertificateValidityPolicy.h +++ b/src/credentials/CertificateValidityPolicy.h @@ -60,5 +60,41 @@ class CertificateValidityPolicy static CHIP_ERROR ApplyDefaultPolicy(const ChipCertificateData * cert, uint8_t depth, CertificateValidityResult result); }; +class IgnoreCertificateValidityPeriodPolicy : public CertificateValidityPolicy +{ +public: + IgnoreCertificateValidityPeriodPolicy() {} + + /** + * @brief + * + * This certificate validity policy does not validate NotBefore or + * NotAfter to accommodate platforms that may have wall clock time, but + * where it is unreliable. + * + * Last Known Good Time is also not considered in this policy. + * + * @param cert CHIP Certificate for which we are evaluating validity + * @param depth the depth of the certificate in the chain, where the leaf is at depth 0 + * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected + */ + CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth, + Credentials::CertificateValidityResult result) override + { + switch (result) + { + case Credentials::CertificateValidityResult::kValid: + case Credentials::CertificateValidityResult::kNotYetValid: + case Credentials::CertificateValidityResult::kExpired: + case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime: + case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime: + case Credentials::CertificateValidityResult::kTimeUnknown: + return CHIP_NO_ERROR; + default: + return CHIP_ERROR_INVALID_ARGUMENT; + } + } +}; + } // namespace Credentials } // namespace chip