diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp old mode 100755 new mode 100644 index 29f5776ca0ba9f..90246c40202657 --- a/src/credentials/CHIPCert.cpp +++ b/src/credentials/CHIPCert.cpp @@ -465,9 +465,8 @@ CHIP_ERROR ChipCertificateSet::VerifySignature(const ChipCertificateData * cert, CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, ValidationContext & context, BitFlags validateFlags, uint8_t depth) { - CHIP_ERROR err = CHIP_NO_ERROR; - ChipCertificateData * caCert = nullptr; - static constexpr int kLastSecondOfDay = kSecondsPerDay - 1; + CHIP_ERROR err = CHIP_NO_ERROR; + ChipCertificateData * caCert = nullptr; // If the depth is greater than 0 then the certificate is required to be a CA certificate... if (depth > 0) @@ -524,14 +523,13 @@ CHIP_ERROR ChipCertificateSet::ValidateCert(const ChipCertificateData * cert, Va } // Verify the validity time of the certificate, if requested. - if (cert->mNotBeforeDate != 0 && !validateFlags.Has(CertValidateFlags::kIgnoreNotBefore)) + if (cert->mNotBeforeTime != 0 && !validateFlags.Has(CertValidateFlags::kIgnoreNotBefore)) { - VerifyOrExit(context.mEffectiveTime >= PackedCertDateToTime(cert->mNotBeforeDate), err = CHIP_ERROR_CERT_NOT_VALID_YET); + VerifyOrExit(context.mEffectiveTime >= cert->mNotBeforeTime, err = CHIP_ERROR_CERT_NOT_VALID_YET); } - if (cert->mNotAfterDate != 0 && !validateFlags.Has(CertValidateFlags::kIgnoreNotAfter)) + if (cert->mNotAfterTime != 0 && !validateFlags.Has(CertValidateFlags::kIgnoreNotAfter)) { - VerifyOrExit(context.mEffectiveTime <= PackedCertDateToTime(cert->mNotAfterDate) + kLastSecondOfDay, - err = CHIP_ERROR_CERT_EXPIRED); + VerifyOrExit(context.mEffectiveTime <= cert->mNotAfterTime, err = CHIP_ERROR_CERT_EXPIRED); } // If the certificate itself is trusted, then it is implicitly valid. Record this certificate as the trust @@ -641,8 +639,8 @@ void ChipCertificateData::Clear() mIssuerDN.Clear(); mSubjectKeyId.Clear(); mAuthKeyId.Clear(); - mNotBeforeDate = 0; - mNotAfterDate = 0; + mNotBeforeTime = 0; + mNotAfterTime = 0; mPublicKey = nullptr; mPublicKeyLen = 0; mPubKeyCurveOID = 0; @@ -733,115 +731,52 @@ bool CertificateKeyId::IsEqual(const CertificateKeyId & other) const return mId != nullptr && other.mId != nullptr && mLen == other.mLen && memcmp(mId, other.mId, mLen) == 0; } -DLL_EXPORT CHIP_ERROR PackCertTime(const ASN1UniversalTime & time, uint32_t & packedTime) +DLL_EXPORT CHIP_ERROR ASN1ToChipEpochTime(const chip::ASN1::ASN1UniversalTime & asn1Time, uint32_t & epochTime) { - enum - { - kCertTimeBaseYear = 2020, - kCertTimeMaxYear = kCertTimeBaseYear + - UINT32_MAX / (kMonthsPerYear * kMaxDaysPerMonth * kHoursPerDay * kMinutesPerHour * kSecondsPerMinute), - kX509NoWellDefinedExpirationDateYear = 9999 - }; - - // The packed time in a CHIP certificate cannot represent dates prior to 2020/01/01. - if (time.Year < kCertTimeBaseYear) - { - return ASN1_ERROR_UNSUPPORTED_ENCODING; - } + CHIP_ERROR err = CHIP_NO_ERROR; // X.509/RFC5280 defines the special time 99991231235959Z to mean 'no well-defined expiration date'. - // We represent that as a packed time value of 0, which for simplicity's sake is assigned to any - // date in the associated year. - if (time.Year == kX509NoWellDefinedExpirationDateYear) + // In CHIP certificate it is represented as a CHIP Epoch UTC time value of 0 sec (2020-01-01 00:00:00 UTC). + if ((asn1Time.Year == kX509NoWellDefinedExpirationDateYear) && (asn1Time.Month == kMonthsPerYear) && + (asn1Time.Day == kMaxDaysPerMonth) && (asn1Time.Hour == kHoursPerDay - 1) && (asn1Time.Minute == kMinutesPerHour - 1) && + (asn1Time.Second == kSecondsPerMinute - 1)) { - packedTime = kNullCertTime; - return CHIP_NO_ERROR; + epochTime = kNullCertTime; } - - // Technically packed certificate time values could grow beyond 32bits. However we restrict it here - // to dates that fit within 32bits to reduce code size and eliminate the need for 64bit math. - if (time.Year > kCertTimeMaxYear) + else { - return ASN1_ERROR_UNSUPPORTED_ENCODING; + if (!CalendarToChipEpochTime(asn1Time.Year, asn1Time.Month, asn1Time.Day, asn1Time.Hour, asn1Time.Minute, asn1Time.Second, + epochTime)) + { + ExitNow(err = ASN1_ERROR_UNSUPPORTED_ENCODING); + } } - packedTime = time.Year - kCertTimeBaseYear; - packedTime = packedTime * kMonthsPerYear + time.Month - 1; - packedTime = packedTime * kMaxDaysPerMonth + time.Day - 1; - packedTime = packedTime * kHoursPerDay + time.Hour; - packedTime = packedTime * kMinutesPerHour + time.Minute; - packedTime = packedTime * kSecondsPerMinute + time.Second; - - return CHIP_NO_ERROR; +exit: + return err; } -DLL_EXPORT CHIP_ERROR UnpackCertTime(uint32_t packedTime, ASN1UniversalTime & time) +DLL_EXPORT CHIP_ERROR ChipEpochToASN1Time(uint32_t epochTime, chip::ASN1::ASN1UniversalTime & asn1Time) { - enum - { - kCertTimeBaseYear = 2020, - kX509NoWellDefinedExpirationDateYear = 9999, - }; - // X.509/RFC5280 defines the special time 99991231235959Z to mean 'no well-defined expiration date'. - // We represent that as a packed time value of 0. - if (packedTime == kNullCertTime) + // In CHIP certificate it is represented as a CHIP Epoch time value of 0 secs (2020-01-01 00:00:00 UTC). + if (epochTime == kNullCertTime) { - time.Year = kX509NoWellDefinedExpirationDateYear; - time.Month = kMonthsPerYear; - time.Day = kMaxDaysPerMonth; - time.Hour = kHoursPerDay - 1; - time.Minute = kMinutesPerHour - 1; - time.Second = kSecondsPerMinute - 1; + asn1Time.Year = kX509NoWellDefinedExpirationDateYear; + asn1Time.Month = kMonthsPerYear; + asn1Time.Day = kMaxDaysPerMonth; + asn1Time.Hour = kHoursPerDay - 1; + asn1Time.Minute = kMinutesPerHour - 1; + asn1Time.Second = kSecondsPerMinute - 1; } - else { - time.Second = static_cast(packedTime % kSecondsPerMinute); - packedTime /= kSecondsPerMinute; - - time.Minute = static_cast(packedTime % kMinutesPerHour); - packedTime /= kMinutesPerHour; - - time.Hour = static_cast(packedTime % kHoursPerDay); - packedTime /= kHoursPerDay; - - time.Day = static_cast((packedTime % kMaxDaysPerMonth) + 1); - packedTime /= kMaxDaysPerMonth; - - time.Month = static_cast((packedTime % kMonthsPerYear) + 1); - packedTime /= kMonthsPerYear; - - time.Year = static_cast(packedTime + kCertTimeBaseYear); + ChipEpochToCalendarTime(epochTime, asn1Time.Year, asn1Time.Month, asn1Time.Day, asn1Time.Hour, asn1Time.Minute, + asn1Time.Second); } return CHIP_NO_ERROR; } -DLL_EXPORT uint16_t PackedCertTimeToDate(uint32_t packedTime) -{ - return static_cast(packedTime / kSecondsPerDay); -} - -DLL_EXPORT uint32_t PackedCertDateToTime(uint16_t packedDate) -{ - return static_cast(packedDate * kSecondsPerDay); -} - -DLL_EXPORT uint32_t SecondsSinceEpochToPackedCertTime(uint32_t secondsSinceEpoch) -{ - chip::ASN1::ASN1UniversalTime asn1Time; - uint32_t packedTime; - - // Convert seconds-since-epoch to calendar date and time and store in an ASN1UniversalTime structure. - SecondsSinceEpochToCalendarTime(secondsSinceEpoch, asn1Time.Year, asn1Time.Month, asn1Time.Day, asn1Time.Hour, asn1Time.Minute, - asn1Time.Second); - - // Convert the calendar date/time to a packed certificate date/time. - PackCertTime(asn1Time, packedTime); - - return packedTime; -} - } // namespace Credentials } // namespace chip diff --git a/src/credentials/CHIPCert.h b/src/credentials/CHIPCert.h index 5091f11cf9b0de..4774efd31ef2e2 100644 --- a/src/credentials/CHIPCert.h +++ b/src/credentials/CHIPCert.h @@ -39,8 +39,9 @@ namespace chip { namespace Credentials { -const uint32_t kKeyIdentifierLength = 20; -const uint32_t kChipIdUTF8Length = 16; +static constexpr uint32_t kKeyIdentifierLength = 20; +static constexpr uint32_t kChipIdUTF8Length = 16; +static constexpr uint16_t kX509NoWellDefinedExpirationDateYear = 9999; /** Data Element Tags for the CHIP Certificate */ @@ -244,8 +245,8 @@ struct ChipCertificateData ChipDN mIssuerDN; /**< Certificate Issuer DN. */ CertificateKeyId mSubjectKeyId; /**< Certificate Subject public key identifier. */ CertificateKeyId mAuthKeyId; /**< Certificate Authority public key identifier. */ - uint16_t mNotBeforeDate; /**< Certificate validity: Not Before field. */ - uint16_t mNotAfterDate; /**< Certificate validity: Not After field. */ + uint32_t mNotBeforeTime; /**< Certificate validity: Not Before field. */ + uint32_t mNotAfterTime; /**< Certificate validity: Not After field. */ const uint8_t * mPublicKey; /**< Pointer to the certificate public key. */ uint8_t mPublicKeyLen; /**< Certificate public key length. */ uint16_t mPubKeyCurveOID; /**< Public key Elliptic Curve CHIP OID. */ @@ -274,7 +275,7 @@ struct ChipCertificateData */ struct ValidationContext { - uint32_t mEffectiveTime; /**< Current time in the CHIP Packed Certificate Time format. */ + uint32_t mEffectiveTime; /**< Current CHIP Epoch UTC time. */ const ChipCertificateData * mTrustAnchor; /**< Pointer to the Trust Anchor Certificate data structure. */ const ChipCertificateData * mSigningCert; /**< Pointer to the Signing Certificate data structure. */ BitFlags mRequiredKeyUsages; /**< Key usage extensions that should be present in the @@ -604,83 +605,31 @@ CHIP_ERROR DetermineCertType(ChipCertificateData & cert); /** * @brief - * Convert a certificate date/time (in the form of an ASN.1 universal time structure) into a packed - * certificate date/time. - * - * @details - * Packed certificate date/times provide a compact representation for the time values within a certificate - * (notBefore and notAfter) that does not require full calendar math to interpret. - * - * A packed certificate date/time contains the fields of a calendar date/time--i.e. year, month, day, hour, - * minute, second--packed into an unsigned integer. The bit representation is organized such that - * ordinal comparisons of packed date/time values correspond to the natural ordering of the corresponding - * times. To reduce their size, packed certificate date/times are limited to representing times that are on - * or after 2020/01/01 00:00:00. When housed within a 32-bit unsigned integer, packed certificate - * date/times can represent times up to the year 2153. + * Convert a certificate date/time (in the form of an ASN.1 universal time structure) into a CHIP Epoch UTC time. * * @note * This function makes no attempt to verify the correct range of the input time other than year. * Therefore callers must make sure the supplied values are valid prior to invocation. * - * @param time The calendar date/time to be converted. - * @param packedTime A reference to an integer that will receive packed date/time. + * @param asn1Time The calendar date/time to be converted. + * @param epochTime A reference to an integer that will receive CHIP Epoch UTC time. * * @retval #CHIP_NO_ERROR If the input time was successfully converted. * @retval #ASN1_ERROR_UNSUPPORTED_ENCODING If the input time contained a year value that could not - * be represented in a packed certificate time value. + * be represented in a CHIP epoch UTC time value. **/ -CHIP_ERROR PackCertTime(const chip::ASN1::ASN1UniversalTime & time, uint32_t & packedTime); +CHIP_ERROR ASN1ToChipEpochTime(const chip::ASN1::ASN1UniversalTime & asn1Time, uint32_t & epochTime); /** * @brief - * Unpack a packed certificate date/time into an ASN.1 universal time structure. + * Convert a CHIP epoch UTC time into an ASN.1 universal time structure. * - * @param packedTime A packed certificate time to be unpacked. - * @param time A reference to an ASN1UniversalTime structure to receive the unpacked date/time. + * @param epochTime A CHIP epoch UTC time to be converted. + * @param asn1Time A reference to an ASN1UniversalTime structure to receive the date/time. * - * @retval #CHIP_NO_ERROR If the input time was successfully unpacked. + * @retval #CHIP_NO_ERROR If the input time was successfully converted. */ -CHIP_ERROR UnpackCertTime(uint32_t packedTime, chip::ASN1::ASN1UniversalTime & time); - -/** - * @brief - * Convert a packed certificate date/time to a packed certificate date. - * - * @details - * A packed certificate date contains the fields of a calendar date--year, month, day--packed into an - * unsigned integer. The bits are organized such that ordinal comparisons of packed date values - * correspond to the natural ordering of the corresponding dates. To reduce their size, packed - * certificate dates are limited to representing dates on or after 2020/01/01. When housed within - * a 16-bit unsigned integer, packed certificate dates can represent dates up to the year 2196. - * - * @param packedTime The packed certificate date/time to be converted. - * - * @return A corresponding packed certificate date. - **/ -uint16_t PackedCertTimeToDate(uint32_t packedTime); - -/** - * @brief - * Convert a packed certificate date to a corresponding packed certificate date/time, where - * the time portion of the value is set to 00:00:00. - * - * @param packedDate The packed certificate date to be converted. - * - * @return A corresponding packed certificate date/time. - **/ -uint32_t PackedCertDateToTime(uint16_t packedDate); - -/** - * @brief - * Convert the number of seconds since 1970-01-01 00:00:00 UTC to a packed certificate date/time. - * - * @param secondsSinceEpoch Number of seconds since 1970-01-01 00:00:00 UTC. - * Note: this value is compatible with *positive* values - * of the POSIX time_t value, up to the year 2105. - * - * @return A corresponding packed certificate date/time. - **/ -uint32_t SecondsSinceEpochToPackedCertTime(uint32_t secondsSinceEpoch); +CHIP_ERROR ChipEpochToASN1Time(uint32_t epochTime, chip::ASN1::ASN1UniversalTime & asn1Time); /** * @return True if the OID represents a CHIP-defined X.509 distinguished named attribute. diff --git a/src/credentials/CHIPCertFromX509.cpp b/src/credentials/CHIPCertFromX509.cpp index 4015d5bd277c5f..51cdbf863cee3c 100644 --- a/src/credentials/CHIPCertFromX509.cpp +++ b/src/credentials/CHIPCertFromX509.cpp @@ -179,21 +179,25 @@ static CHIP_ERROR ConvertDistinguishedName(ASN1Reader & reader, TLVWriter & writ static CHIP_ERROR ConvertValidity(ASN1Reader & reader, TLVWriter & writer) { CHIP_ERROR err; - ASN1UniversalTime notBeforeTime, notAfterTime; - uint32_t packedNotBeforeTime, packedNotAfterTime; + ASN1UniversalTime asn1Time; + uint32_t chipEpochTime; ASN1_PARSE_ENTER_SEQUENCE { - ASN1_PARSE_TIME(notBeforeTime); - err = PackCertTime(notBeforeTime, packedNotBeforeTime); + ASN1_PARSE_TIME(asn1Time); + + err = ASN1ToChipEpochTime(asn1Time, chipEpochTime); SuccessOrExit(err); - err = writer.Put(ContextTag(kTag_NotBefore), packedNotBeforeTime); + + err = writer.Put(ContextTag(kTag_NotBefore), chipEpochTime); SuccessOrExit(err); - ASN1_PARSE_TIME(notAfterTime); - err = PackCertTime(notAfterTime, packedNotAfterTime); + ASN1_PARSE_TIME(asn1Time); + + err = ASN1ToChipEpochTime(asn1Time, chipEpochTime); SuccessOrExit(err); - err = writer.Put(ContextTag(kTag_NotAfter), packedNotAfterTime); + + err = writer.Put(ContextTag(kTag_NotAfter), chipEpochTime); SuccessOrExit(err); } ASN1_EXIT_SEQUENCE; diff --git a/src/credentials/CHIPCertToX509.cpp b/src/credentials/CHIPCertToX509.cpp index 95fe3cbc320177..bb6fe2ccbe4745 100644 --- a/src/credentials/CHIPCertToX509.cpp +++ b/src/credentials/CHIPCertToX509.cpp @@ -209,28 +209,34 @@ static CHIP_ERROR DecodeConvertValidity(TLVReader & reader, ASN1Writer & writer, { CHIP_ERROR err; ASN1UniversalTime asn1Time; - uint64_t packedTime; + uint64_t chipEpochTime; ASN1_START_SEQUENCE { err = reader.Next(kTLVType_UnsignedInteger, ContextTag(kTag_NotBefore)); SuccessOrExit(err); - err = reader.Get(packedTime); + + err = reader.Get(chipEpochTime); SuccessOrExit(err); - VerifyOrExit(packedTime <= UINT32_MAX, err = CHIP_ERROR_UNSUPPORTED_CERT_FORMAT); - certData.mNotBeforeDate = PackedCertTimeToDate(static_cast(packedTime)); - err = UnpackCertTime(static_cast(packedTime), asn1Time); + + VerifyOrExit(chipEpochTime <= UINT32_MAX, err = CHIP_ERROR_UNSUPPORTED_CERT_FORMAT); + certData.mNotBeforeTime = static_cast(chipEpochTime); + + err = ChipEpochToASN1Time(static_cast(chipEpochTime), asn1Time); SuccessOrExit(err); ASN1_ENCODE_TIME(asn1Time); err = reader.Next(kTLVType_UnsignedInteger, ContextTag(kTag_NotAfter)); SuccessOrExit(err); - err = reader.Get(packedTime); + + err = reader.Get(chipEpochTime); SuccessOrExit(err); - VerifyOrExit(packedTime <= UINT32_MAX, err = CHIP_ERROR_UNSUPPORTED_CERT_FORMAT); - certData.mNotAfterDate = PackedCertTimeToDate(static_cast(packedTime)); - err = UnpackCertTime(static_cast(packedTime), asn1Time); + + VerifyOrExit(chipEpochTime <= UINT32_MAX, err = CHIP_ERROR_UNSUPPORTED_CERT_FORMAT); + certData.mNotAfterTime = static_cast(chipEpochTime); + + err = ChipEpochToASN1Time(static_cast(chipEpochTime), asn1Time); SuccessOrExit(err); ASN1_ENCODE_TIME(asn1Time); diff --git a/src/credentials/tests/CHIPCert_test_vectors.cpp b/src/credentials/tests/CHIPCert_test_vectors.cpp index 8959b10ca2c483..36893894ef0d0a 100644 --- a/src/credentials/tests/CHIPCert_test_vectors.cpp +++ b/src/credentials/tests/CHIPCert_test_vectors.cpp @@ -220,8 +220,8 @@ DMTThuER36I738y56XimOzuaNHm+f6SKhw== extern const uint8_t sTestCert_Root_Chip[] = { 0xd5, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x30, 0x01, 0x08, 0x45, 0x7a, 0x49, 0xa1, 0xd8, 0x30, 0x18, 0x67, 0x24, 0x02, 0x01, - 0x37, 0x03, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0xef, 0x11, 0x83, 0x01, 0x26, 0x05, - 0xee, 0xa9, 0xd3, 0x27, 0x37, 0x06, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x24, 0x07, 0x01, 0x24, + 0x37, 0x03, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0x6f, 0x7a, 0x7c, 0x01, 0x26, 0x05, + 0xee, 0x17, 0x1b, 0x27, 0x37, 0x06, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0x60, 0xc2, 0x96, 0xed, 0x06, 0x5d, 0x58, 0x76, 0xda, 0xa8, 0x70, 0xdc, 0x1e, 0x5a, 0x8b, 0xa7, 0xe4, 0xd0, 0xfd, 0x02, 0x96, 0xc1, 0xe7, 0xca, 0xe1, 0x5e, 0x04, 0x2e, 0xe2, 0xba, 0x1d, 0x3a, 0x7c, 0xbd, 0xe2, 0xfb, 0x95, 0xcc, 0x7a, 0x0c, 0xc4, 0xd3, 0x86, 0xe1, 0x11, 0xdf, 0xa2, 0x3b, 0xdf, 0xcc, 0xb9, 0xe9, 0x78, 0xa6, 0x3b, 0x3b, 0x9a, @@ -344,8 +344,8 @@ AwEHoUQDQgAEyxVOTc/KnbWBQ/hbWvpQb1RHBHuLSpnSC1ZHZZoJQt8E3eSyQlcg extern const uint8_t sTestCert_NodeCA_Chip[] = { 0xd5, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x30, 0x01, 0x08, 0x77, 0x3d, 0x91, 0x2c, 0x61, 0xaf, 0xb7, 0x64, 0x24, 0x02, 0x01, - 0x37, 0x03, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0xef, 0x11, 0x83, 0x01, 0x26, 0x05, - 0xee, 0xa9, 0xd3, 0x27, 0x37, 0x06, 0x27, 0x12, 0x02, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x24, 0x07, 0x01, 0x24, + 0x37, 0x03, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0x6f, 0x7a, 0x7c, 0x01, 0x26, 0x05, + 0xee, 0x17, 0x1b, 0x27, 0x37, 0x06, 0x27, 0x12, 0x02, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0xcb, 0x15, 0x4e, 0x4d, 0xcf, 0xca, 0x9d, 0xb5, 0x81, 0x43, 0xf8, 0x5b, 0x5a, 0xfa, 0x50, 0x6f, 0x54, 0x47, 0x04, 0x7b, 0x8b, 0x4a, 0x99, 0xd2, 0x0b, 0x56, 0x47, 0x65, 0x9a, 0x09, 0x42, 0xdf, 0x04, 0xdd, 0xe4, 0xb2, 0x42, 0x57, 0x20, 0xe2, 0x99, 0x55, 0x15, 0x9c, 0x26, 0x38, 0x49, 0x85, 0x3d, 0x45, 0x02, 0xb0, 0x84, 0xbc, 0xad, 0xed, 0x86, @@ -471,8 +471,8 @@ wWLZULffnNro01y7ZS0DfY4KIuN5Xx7v7g== extern const uint8_t sTestCert_Node01_Chip[] = { 0xd5, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x30, 0x01, 0x08, 0x75, 0x2b, 0xac, 0x9f, 0xd8, 0x63, 0xab, 0xa9, 0x24, 0x02, 0x01, - 0x37, 0x03, 0x27, 0x12, 0x02, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0xef, 0x11, 0x83, 0x01, 0x26, 0x05, - 0xee, 0xa9, 0xd3, 0x27, 0x37, 0x06, 0x27, 0x11, 0x01, 0x00, 0x00, 0x00, 0xde, 0xde, 0xde, 0xde, 0x18, 0x24, 0x07, 0x01, 0x24, + 0x37, 0x03, 0x27, 0x12, 0x02, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0x6f, 0x7a, 0x7c, 0x01, 0x26, 0x05, + 0xee, 0x17, 0x1b, 0x27, 0x37, 0x06, 0x27, 0x11, 0x01, 0x00, 0x00, 0x00, 0xde, 0xde, 0xde, 0xde, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0x36, 0x6a, 0x7f, 0x6c, 0xf4, 0xf0, 0x5a, 0x13, 0xd8, 0x35, 0x4e, 0xe0, 0xba, 0xc4, 0xe0, 0xf0, 0xac, 0xf1, 0x8b, 0x06, 0x8d, 0xa1, 0xa2, 0xef, 0xf8, 0x77, 0x85, 0xe1, 0xdc, 0x10, 0xaa, 0x0b, 0xcc, 0xc1, 0x1c, 0x68, 0xe8, 0x84, 0x65, 0xc1, 0x62, 0xd9, 0x50, 0xb7, 0xdf, 0x9c, 0xda, 0xe8, 0xd3, 0x5c, 0xbb, 0x65, 0x2d, 0x03, 0x7d, 0x8e, 0x0a, @@ -597,8 +597,8 @@ AwEHoUQDQgAEDsN90sc62MP9eajk3xBwhA6ZlIh1Ru5pEWD7Wsakg/6mIbMFFzzz extern const uint8_t sTestCert_FirmwareSigningCA_Chip[] = { 0xd5, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x30, 0x01, 0x08, 0x68, 0x09, 0x92, 0xaa, 0xc3, 0x3c, 0xf0, 0xd8, 0x24, 0x02, 0x01, - 0x37, 0x03, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0xef, 0x11, 0x83, 0x01, 0x26, 0x05, - 0xee, 0xa9, 0xd3, 0x27, 0x37, 0x06, 0x27, 0x12, 0x04, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x24, 0x07, 0x01, 0x24, + 0x37, 0x03, 0x27, 0x12, 0x01, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0x6f, 0x7a, 0x7c, 0x01, 0x26, 0x05, + 0xee, 0x17, 0x1b, 0x27, 0x37, 0x06, 0x27, 0x12, 0x04, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0x0e, 0xc3, 0x7d, 0xd2, 0xc7, 0x3a, 0xd8, 0xc3, 0xfd, 0x79, 0xa8, 0xe4, 0xdf, 0x10, 0x70, 0x84, 0x0e, 0x99, 0x94, 0x88, 0x75, 0x46, 0xee, 0x69, 0x11, 0x60, 0xfb, 0x5a, 0xc6, 0xa4, 0x83, 0xfe, 0xa6, 0x21, 0xb3, 0x05, 0x17, 0x3c, 0xf3, 0xf9, 0x2d, 0x00, 0x39, 0x4f, 0xf3, 0xf2, 0x23, 0x7e, 0xd2, 0xdc, 0x36, 0x78, 0x4a, 0xec, 0xbe, 0x20, 0x69, @@ -724,8 +724,8 @@ zIvdNDioP6c/rMf/vaclQG6r+E4g7CdHYA== extern const uint8_t sTestCert_FirmwareSigning_Chip[] = { 0xd5, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x30, 0x01, 0x08, 0x5c, 0xa7, 0x25, 0x47, 0x7f, 0xd2, 0x95, 0xbb, 0x24, 0x02, 0x01, - 0x37, 0x03, 0x27, 0x12, 0x04, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0xef, 0x11, 0x83, 0x01, 0x26, 0x05, - 0xee, 0xa9, 0xd3, 0x27, 0x37, 0x06, 0x27, 0x13, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x18, 0x24, 0x07, 0x01, 0x24, + 0x37, 0x03, 0x27, 0x12, 0x04, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x18, 0x26, 0x04, 0x6f, 0x7a, 0x7c, 0x01, 0x26, 0x05, + 0xee, 0x17, 0x1b, 0x27, 0x37, 0x06, 0x27, 0x13, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0xc3, 0xc4, 0x61, 0x40, 0x51, 0x3f, 0x6a, 0xa5, 0x95, 0x54, 0x33, 0xa4, 0xf0, 0x89, 0x42, 0x2e, 0xfc, 0x72, 0xae, 0xc5, 0x21, 0x08, 0x94, 0x42, 0x9c, 0xf5, 0x4d, 0xd3, 0x31, 0x2a, 0x82, 0x55, 0x46, 0x42, 0x2c, 0xcc, 0x29, 0xb9, 0x8e, 0xcc, 0x8b, 0xdd, 0x34, 0x38, 0xa8, 0x3f, 0xa7, 0x3f, 0xac, 0xc7, 0xff, 0xbd, 0xa7, 0x25, 0x40, 0x6e, 0xab, diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp index 9ad8eab6fafce7..deeb94b8b590fb 100644 --- a/src/credentials/tests/TestChipCert.cpp +++ b/src/credentials/tests/TestChipCert.cpp @@ -131,7 +131,7 @@ static CHIP_ERROR SetEffectiveTime(ValidationContext & validContext, uint16_t ye effectiveTime.Minute = min; effectiveTime.Second = sec; - return PackCertTime(effectiveTime, validContext.mEffectiveTime); + return ASN1ToChipEpochTime(effectiveTime, validContext.mEffectiveTime); } static void TestChipCert_ChipToX509(nlTestSuite * inSuite, void * inContext) @@ -414,28 +414,31 @@ static void TestChipCert_CertValidTime(nlTestSuite * inSuite, void * inContext) NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_CERT_NOT_VALID_YET); // 1 second before validity period. - err = SetEffectiveTime(validContext, 2020, 10, 14, 23, 59, 59); + err = SetEffectiveTime(validContext, 2020, 10, 15, 14, 23, 42); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); err = certSet.ValidateCert(certSet.GetLastCert(), validContext); NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_CERT_NOT_VALID_YET); - // 1st second of 1st day of validity period. - // NOTE: the given time is technically outside the stated certificate validity period, which starts mid-day. - // However for simplicity's sake, the Chip cert validation algorithm rounds the validity period to whole days. - err = SetEffectiveTime(validContext, 2020, 10, 15, 0, 0, 0); + // 1st second of validity period. + err = SetEffectiveTime(validContext, 2020, 10, 15, 14, 23, 43); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); err = certSet.ValidateCert(certSet.GetLastCert(), validContext); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); - // Last second of last day of validity period. - // As above, this time is considered valid because of rounding to whole days. - err = SetEffectiveTime(validContext, 2040, 10, 15, 23, 59, 59); + // Validity period. + err = SetEffectiveTime(validContext, 2022, 02, 23, 12, 30, 01); + NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); + err = certSet.ValidateCert(certSet.GetLastCert(), validContext); + NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); + + // Last second of validity period. + err = SetEffectiveTime(validContext, 2040, 10, 15, 14, 23, 42); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); err = certSet.ValidateCert(certSet.GetLastCert(), validContext); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); // 1 second after end of certificate validity period. - err = SetEffectiveTime(validContext, 2040, 10, 16, 0, 0, 0); + err = SetEffectiveTime(validContext, 2040, 10, 15, 14, 23, 43); NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); err = certSet.ValidateCert(certSet.GetLastCert(), validContext); NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_CERT_EXPIRED);