Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added time validity checking to Device Attestation Verifier #12212

Merged
merged 6 commits into from
Dec 3, 2021
Merged

Added time validity checking to Device Attestation Verifier #12212

merged 6 commits into from
Dec 3, 2021

Conversation

vijs
Copy link
Collaborator

@vijs vijs commented Nov 24, 2021

Problem

Change overview

  • Added helper method (cryptoPal) to compare time validity (notbefore and notafter) of two certificates.
  • Added respective unit test.
  • Added Checks for PAI/PAA within VerifyAttestationInformation method from ExampleDACVerifier.

Testing

  • Matter Unit Tests

@restyled-io restyled-io bot mentioned this pull request Nov 24, 2021
Closed
@vijs vijs requested a review from tcarmelveilleux November 24, 2021 17:21
@github-actions
Copy link

github-actions bot commented Nov 24, 2021
edited
Loading

PR #12212: Size comparison from b87d1fa to 0214b5e

Increases above 0.2%:

platform target config section b87d1fa 0214b5e change % change
linux chip-tool debug .got 4456 4480 24 0.5
tv-app debug .got 4432 4456 24 0.5
Increases (2 builds for linux)
platform target config section b87d1fa 0214b5e change % change
linux chip-tool debug (read only) 5957109 5958757 1648 0.0
(read/write) 197104 197136 32 0.0
.got 4456 4480 24 0.5
.text 5289941 5291285 1344 0.0
tv-app debug (read only) 1910681 1912329 1648 0.1
(read/write) 319624 319656 32 0.0
.got 4432 4456 24 0.5
.text 1603634 1604978 1344 0.1
Full report (38 builds for efr32, esp32, k32w, linux, mbed, nrfconnect, p6, qpg, telink)
platform target config section b87d1fa 0214b5e change % change
efr32 lighting-app BRD4161A (read only) 757072 757072 0 0.0
(read/write) 119788 119788 0 0.0
.bss 117972 117972 0 0.0
.data 1816 1816 0 0.0
.text 757064 757064 0 0.0
BRD4161A+rpc (read only) 744524 744524 0 0.0
(read/write) 136416 136416 0 0.0
.bss 134476 134476 0 0.0
.data 1940 1940 0 0.0
.text 744516 744516 0 0.0
lock-app BRD4161A (read only) 732936 732936 0 0.0
(read/write) 117508 117508 0 0.0
.bss 115732 115732 0 0.0
.data 1772 1772 0 0.0
.text 732928 732928 0 0.0
window-app BRD4161A (read only) 736368 736368 0 0.0
(read/write) 117868 117868 0 0.0
.bss 116084 116084 0 0.0
.data 1780 1780 0 0.0
.text 736360 736360 0 0.0
esp32 all-clusters-app c3devkit (read only) 835272 835272 0 0.0
(read/write) 1222362 1222362 0 0.0
.dram0.bss 57824 57824 0 0.0
.dram0.data 14100 14100 0 0.0
.flash.rodata 165184 165184 0 0.0
.flash.text 835272 835272 0 0.0
.iram0.text 61394 61394 0 0.0
m5stack (read only) 906691 906691 0 0.0
(read/write) 421676 421676 0 0.0
.dram0.bss 63216 63216 0 0.0
.dram0.data 34072 34072 0 0.0
.flash.rodata 193108 193108 0 0.0
.flash.text 901307 901307 0 0.0
.iram0.text 122943 122943 0 0.0
k32w lighting-app k32w061+se05x+release (read/write) 711816 711816 0 0.0
.bss 78132 78132 0 0.0
.data 1936 1936 0 0.0
.text 625948 625948 0 0.0
lock-app k32w061+debug (read/write) 602028 602028 0 0.0
.bss 68572 68572 0 0.0
.data 1904 1904 0 0.0
.text 525752 525752 0 0.0
shell k32w061+debug (read/write) 667520 667520 0 0.0
.bss 79740 79740 0 0.0
.data 1872 1872 0 0.0
.text 580108 580108 0 0.0
linux all-clusters-app debug (read only) 1765289 1765289 0 0.0
(read/write) 129432 129432 0 0.0
.bss 58576 58576 0 0.0
.data 1170 1170 0 0.0
.data.rel.ro 64384 64384 0 0.0
.dynamic 592 592 0 0.0
.got 4112 4112 0 0.0
.init 27 27 0 0.0
.init_array 576 576 0 0.0
.rodata 138357 138357 0 0.0
.text 1488946 1488946 0 0.0
bridge-app debug+rpc (read only) 1340837 1340837 0 0.0
(read/write) 77376 77376 0 0.0
.bss 41488 41488 0 0.0
.data 1680 1680 0 0.0
.data.rel.ro 29184 29184 0 0.0
.dynamic 592 592 0 0.0
.got 3984 3984 0 0.0
.init 27 27 0 0.0
.init_array 424 424 0 0.0
.rodata 112924 112924 0 0.0
.text 1128181 1128181 0 0.0
chip-tool debug (read only) 5957109 5958757 1648 0.0
(read/write) 197104 197136 32 0.0
.bss 39840 39840 0 0.0
.data 2384 2384 0 0.0
.data.rel.ro 149320 149320 0 0.0
.dynamic 592 592 0 0.0
.got 4456 4480 24 0.5
.init 27 27 0 0.0
.init_array 488 488 0 0.0
.rodata 283848 283848 0 0.0
.text 5289941 5291285 1344 0.0
lighting-app debug+rpc (read only) 1614113 1614113 0 0.0
(read/write) 110656 110656 0 0.0
.bss 47184 47184 0 0.0
.data 1362 1362 0 0.0
.data.rel.ro 56784 56784 0 0.0
.dynamic 608 608 0 0.0
.got 4136 4136 0 0.0
.init 27 27 0 0.0
.init_array 552 552 0 0.0
.rodata 131281 131281 0 0.0
.text 1345474 1345474 0 0.0
ota-provider-app debug (read only) 1305001 1305001 0 0.0
(read/write) 75864 75864 0 0.0
.bss 44064 44064 0 0.0
.data 912 912 0 0.0
.data.rel.ro 25736 25736 0 0.0
.dynamic 592 592 0 0.0
.got 4048 4048 0 0.0
.init 27 27 0 0.0
.init_array 464 464 0 0.0
.rodata 114704 114704 0 0.0
.text 1090306 1090306 0 0.0
ota-requestor-app debug (read only) 1401537 1401537 0 0.0
(read/write) 79760 79760 0 0.0
.bss 46528 46528 0 0.0
.data 976 976 0 0.0
.data.rel.ro 27096 27096 0 0.0
.dynamic 592 592 0 0.0
.got 4032 4032 0 0.0
.init 27 27 0 0.0
.init_array 488 488 0 0.0
.rodata 126144 126144 0 0.0
.text 1172610 1172610 0 0.0
shell debug (read only) 818721 818721 0 0.0
(read/write) 66520 66520 0 0.0
.bss 23240 23240 0 0.0
.data 338 338 0 0.0
.data.rel.ro 38392 38392 0 0.0
.dynamic 592 592 0 0.0
.got 3560 3560 0 0.0
.init 27 27 0 0.0
.init_array 360 360 0 0.0
.rodata 78991 78991 0 0.0
.text 633378 633378 0 0.0
tv-app debug (read only) 1910681 1912329 1648 0.1
(read/write) 319624 319656 32 0.0
.bss 249928 249928 0 0.0
.data 2880 2880 0 0.0
.data.rel.ro 61136 61136 0 0.0
.dynamic 592 592 0 0.0
.got 4432 4456 24 0.5
.init 27 27 0 0.0
.init_array 632 632 0 0.0
.rodata 159208 159208 0 0.0
.text 1603634 1604978 1344 0.1
mbed all-clusters-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2293808 2293808 0 0.0
.bss 180380 180380 0 0.0
.data 5240 5240 0 0.0
.heap 850824 850824 0 0.0
.text 1256408 1256408 0 0.0
lighting-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2278008 2278008 0 0.0
.bss 172284 172284 0 0.0
.data 5600 5600 0 0.0
.heap 858560 858560 0 0.0
.text 1240608 1240608 0 0.0
lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2252392 2252392 0 0.0
.bss 171100 171100 0 0.0
.data 5584 5584 0 0.0
.heap 859760 859760 0 0.0
.text 1214992 1214992 0 0.0
pigweed-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 1139744 1139744 0 0.0
.bss 11752 11752 0 0.0
.data 4368 4368 0 0.0
.heap 1020328 1020328 0 0.0
.text 103128 103128 0 0.0
shell CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2050648 2050648 0 0.0
.bss 156304 156304 0 0.0
.data 4984 4984 0 0.0
.heap 875160 875160 0 0.0
.text 1013248 1013248 0 0.0
nrfconnect lighting-app nrf52840dk_nrf52840 (read/write) 870919 870919 0 0.0
bss 112628 112628 0 0.0
rodata 96496 96496 0 0.0
text 586156 586156 0 0.0
nrf52840dk_nrf52840+rpc (read/write) 833287 833287 0 0.0
bss 108980 108980 0 0.0
rodata 87680 87680 0 0.0
text 560324 560324 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 795962 795962 0 0.0
bss 114000 114000 0 0.0
rodata 91756 91756 0 0.0
text 515616 515616 0 0.0
lock-app nrf52840dk_nrf52840 (read/write) 843011 843011 0 0.0
bss 109660 109660 0 0.0
rodata 92500 92500 0 0.0
text 565400 565400 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 768282 768282 0 0.0
bss 111072 111072 0 0.0
rodata 87788 87788 0 0.0
text 494952 494952 0 0.0
pigweed-app nrf52840dk_nrf52840 (read/write) 497327 497327 0 0.0
bss 51824 51824 0 0.0
rodata 45780 45780 0 0.0
text 339436 339436 0 0.0
pump-app nrf52840dk_nrf52840 (read/write) 849143 849143 0 0.0
bss 109800 109800 0 0.0
rodata 94208 94208 0 0.0
text 569580 569580 0 0.0
pump-controller-app nrf52840dk_nrf52840 (read/write) 842703 842703 0 0.0
bss 109696 109696 0 0.0
rodata 92456 92456 0 0.0
text 565020 565020 0 0.0
shell nrf52840dk_nrf52840 (read/write) 778311 778311 0 0.0
bss 109168 109168 0 0.0
rodata 72996 72996 0 0.0
text 521532 521532 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 693350 693350 0 0.0
bss 110152 110152 0 0.0
rodata 67640 67640 0 0.0
text 442140 442140 0 0.0
p6 all-clusters-app default (read/write) 2309128 2309128 0 0.0
.bss 113368 113368 0 0.0
.data 2544 2544 0 0.0
.heap 917432 917432 0 0.0
.text 1267392 1267392 0 0.0
lock-app default (read/write) 2221128 2221128 0 0.0
.bss 100960 100960 0 0.0
.data 2416 2416 0 0.0
.heap 929968 929968 0 0.0
.text 1179392 1179392 0 0.0
qpg lighting-app qpg6100+debug (read only) 498664 498664 0 0.0
(read/write) 114140 114140 0 0.0
.bss 50368 50368 0 0.0
.data 1020 1020 0 0.0
.text 493344 493344 0 0.0
lock-app qpg6100+debug (read only) 472568 472568 0 0.0
(read/write) 114144 114144 0 0.0
.bss 49240 49240 0 0.0
.data 976 976 0 0.0
.text 467248 467248 0 0.0
persistent-storage-app qpg6100+debug (read only) 105408 105408 0 0.0
(read/write) 114142 114142 0 0.0
.bss 8986 8986 0 0.0
.data 272 272 0 0.0
.text 100088 100088 0 0.0
telink lighting-app tlsr9518adk80d (read/write) 772310 772310 0 0.0
bss 79204 79204 0 0.0
noinit 37160 37160 0 0.0
text 536388 536388 0 0.0

tcarmelveilleux
tcarmelveilleux requested changes Nov 25, 2021
View reviewed changes
Copy link
Contributor

@tcarmelveilleux tcarmelveilleux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Time validity checks need to be better explained and to make sure they validate what is intended (see comments)

@woody-apple
Copy link
Contributor

Ping @vijs ?

@boring-cyborg boring-cyborg bot added the crypto label Nov 30, 2021
@github-actions
Copy link

github-actions bot commented Nov 30, 2021
edited
Loading

PR #12212: Size comparison from 7e99454 to a0e0f0b

Increases above 0.2%:

platform target config section 7e99454 a0e0f0b change % change
linux chip-tool debug .got 4472 4496 24 0.5
tv-app debug .got 4424 4448 24 0.5
Increases (2 builds for linux)
platform target config section 7e99454 a0e0f0b change % change
linux chip-tool debug (read only) 6137597 6139245 1648 0.0
(read/write) 199760 199792 32 0.0
.got 4472 4496 24 0.5
.text 5452597 5453941 1344 0.0
tv-app debug (read only) 1927729 1929377 1648 0.1
(read/write) 321152 321184 32 0.0
.got 4424 4448 24 0.5
.text 1617842 1619186 1344 0.1
Full report (38 builds for efr32, esp32, k32w, linux, mbed, nrfconnect, p6, qpg, telink)
platform target config section 7e99454 a0e0f0b change % change
efr32 lighting-app BRD4161A (read only) 763016 763016 0 0.0
(read/write) 120300 120300 0 0.0
.bss 118476 118476 0 0.0
.data 1820 1820 0 0.0
.text 763008 763008 0 0.0
BRD4161A+rpc (read only) 791512 791512 0 0.0
(read/write) 138596 138596 0 0.0
.bss 136676 136676 0 0.0
.data 1920 1920 0 0.0
.text 791504 791504 0 0.0
lock-app BRD4161A (read only) 736896 736896 0 0.0
(read/write) 118004 118004 0 0.0
.bss 116228 116228 0 0.0
.data 1776 1776 0 0.0
.text 736888 736888 0 0.0
window-app BRD4161A (read only) 739984 739984 0 0.0
(read/write) 118436 118436 0 0.0
.bss 116652 116652 0 0.0
.data 1784 1784 0 0.0
.text 739976 739976 0 0.0
esp32 all-clusters-app c3devkit (read only) 836580 836580 0 0.0
(read/write) 1225258 1225258 0 0.0
.dram0.bss 59608 59608 0 0.0
.dram0.data 13988 13988 0 0.0
.flash.rodata 166400 166400 0 0.0
.flash.text 836580 836580 0 0.0
.iram0.text 61390 61390 0 0.0
m5stack (read only) 908587 908587 0 0.0
(read/write) 424484 424484 0 0.0
.dram0.bss 65000 65000 0 0.0
.dram0.data 33960 33960 0 0.0
.flash.rodata 194244 194244 0 0.0
.flash.text 903203 903203 0 0.0
.iram0.text 122943 122943 0 0.0
k32w lighting-app k32w061+se05x+release (read/write) 724356 724356 0 0.0
.bss 78756 78756 0 0.0
.data 1844 1844 0 0.0
.text 637956 637956 0 0.0
lock-app k32w061+debug (read/write) 613348 613348 0 0.0
.bss 69204 69204 0 0.0
.data 1808 1808 0 0.0
.text 536536 536536 0 0.0
shell k32w061+debug (read/write) 679128 679128 0 0.0
.bss 80780 80780 0 0.0
.data 1780 1780 0 0.0
.text 590768 590768 0 0.0
linux all-clusters-app debug (read only) 1779889 1779889 0 0.0
(read/write) 131960 131960 0 0.0
.bss 60688 60688 0 0.0
.data 1040 1040 0 0.0
.data.rel.ro 64928 64928 0 0.0
.dynamic 592 592 0 0.0
.got 4112 4112 0 0.0
.init 27 27 0 0.0
.init_array 576 576 0 0.0
.rodata 139957 139957 0 0.0
.text 1500914 1500914 0 0.0
bridge-app debug+rpc (read only) 1353061 1353061 0 0.0
(read/write) 78400 78400 0 0.0
.bss 42288 42288 0 0.0
.data 1680 1680 0 0.0
.data.rel.ro 29384 29384 0 0.0
.dynamic 592 592 0 0.0
.got 3984 3984 0 0.0
.init 27 27 0 0.0
.init_array 424 424 0 0.0
.rodata 113820 113820 0 0.0
.text 1139125 1139125 0 0.0
chip-tool debug (read only) 6137597 6139245 1648 0.0
(read/write) 199760 199792 32 0.0
.bss 40640 40640 0 0.0
.data 1008 1008 0 0.0
.data.rel.ro 152528 152528 0 0.0
.dynamic 592 592 0 0.0
.got 4472 4496 24 0.5
.init 27 27 0 0.0
.init_array 488 488 0 0.0
.rodata 294440 294440 0 0.0
.text 5452597 5453941 1344 0.0
lighting-app debug+rpc (read only) 1633129 1633129 0 0.0
(read/write) 111520 111520 0 0.0
.bss 47984 47984 0 0.0
.data 1232 1232 0 0.0
.data.rel.ro 56976 56976 0 0.0
.dynamic 608 608 0 0.0
.got 4136 4136 0 0.0
.init 27 27 0 0.0
.init_array 552 552 0 0.0
.rodata 132305 132305 0 0.0
.text 1363010 1363010 0 0.0
ota-provider-app debug (read only) 1313409 1313409 0 0.0
(read/write) 76856 76856 0 0.0
.bss 44864 44864 0 0.0
.data 912 912 0 0.0
.data.rel.ro 25944 25944 0 0.0
.dynamic 592 592 0 0.0
.got 4048 4048 0 0.0
.init 27 27 0 0.0
.init_array 464 464 0 0.0
.rodata 114960 114960 0 0.0
.text 1098098 1098098 0 0.0
ota-requestor-app debug (read only) 1409897 1409897 0 0.0
(read/write) 80688 80688 0 0.0
.bss 47296 47296 0 0.0
.data 976 976 0 0.0
.data.rel.ro 27272 27272 0 0.0
.dynamic 592 592 0 0.0
.got 4032 4032 0 0.0
.init 27 27 0 0.0
.init_array 488 488 0 0.0
.rodata 126464 126464 0 0.0
.text 1180290 1180290 0 0.0
shell debug (read only) 821761 821761 0 0.0
(read/write) 67288 67288 0 0.0
.bss 23976 23976 0 0.0
.data 224 224 0 0.0
.data.rel.ro 38560 38560 0 0.0
.dynamic 592 592 0 0.0
.got 3560 3560 0 0.0
.init 27 27 0 0.0
.init_array 360 360 0 0.0
.rodata 79218 79218 0 0.0
.text 635858 635858 0 0.0
tv-app debug (read only) 1927729 1929377 1648 0.1
(read/write) 321152 321184 32 0.0
.bss 252376 252376 0 0.0
.data 1504 1504 0 0.0
.data.rel.ro 61608 61608 0 0.0
.dynamic 592 592 0 0.0
.got 4424 4448 24 0.5
.init 27 27 0 0.0
.init_array 640 640 0 0.0
.rodata 161448 161448 0 0.0
.text 1617842 1619186 1344 0.1
mbed all-clusters-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2296160 2296160 0 0.0
.bss 182348 182348 0 0.0
.data 5128 5128 0 0.0
.heap 848968 848968 0 0.0
.text 1258760 1258760 0 0.0
lighting-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2281096 2281096 0 0.0
.bss 172956 172956 0 0.0
.data 5488 5488 0 0.0
.heap 858000 858000 0 0.0
.text 1243696 1243696 0 0.0
lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2254192 2254192 0 0.0
.bss 171772 171772 0 0.0
.data 5472 5472 0 0.0
.heap 859200 859200 0 0.0
.text 1216792 1216792 0 0.0
pigweed-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 1139744 1139744 0 0.0
.bss 11752 11752 0 0.0
.data 4368 4368 0 0.0
.heap 1020328 1020328 0 0.0
.text 103128 103128 0 0.0
shell CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2051232 2051232 0 0.0
.bss 156920 156920 0 0.0
.data 4872 4872 0 0.0
.heap 874656 874656 0 0.0
.text 1013832 1013832 0 0.0
nrfconnect lighting-app nrf52840dk_nrf52840 (read/write) 876639 876639 0 0.0
bss 113124 113124 0 0.0
rodata 97344 97344 0 0.0
text 590620 590620 0 0.0
nrf52840dk_nrf52840+rpc (read/write) 839087 839087 0 0.0
bss 109476 109476 0 0.0
rodata 88608 88608 0 0.0
text 564788 564788 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 801674 801674 0 0.0
bss 114500 114500 0 0.0
rodata 92604 92604 0 0.0
text 520076 520076 0 0.0
lock-app nrf52840dk_nrf52840 (read/write) 847467 847467 0 0.0
bss 110164 110164 0 0.0
rodata 93084 93084 0 0.0
text 568872 568872 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 772738 772738 0 0.0
bss 111572 111572 0 0.0
rodata 88372 88372 0 0.0
text 498420 498420 0 0.0
pigweed-app nrf52840dk_nrf52840 (read/write) 497327 497327 0 0.0
bss 51824 51824 0 0.0
rodata 45780 45780 0 0.0
text 339436 339436 0 0.0
pump-app nrf52840dk_nrf52840 (read/write) 853479 853479 0 0.0
bss 110300 110300 0 0.0
rodata 94816 94816 0 0.0
text 572940 572940 0 0.0
pump-controller-app nrf52840dk_nrf52840 (read/write) 846559 846559 0 0.0
bss 110176 110176 0 0.0
rodata 92952 92952 0 0.0
text 568000 568000 0 0.0
shell nrf52840dk_nrf52840 (read/write) 779043 779043 0 0.0
bss 109604 109604 0 0.0
rodata 73192 73192 0 0.0
text 521724 521724 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 694058 694058 0 0.0
bss 110588 110588 0 0.0
rodata 67836 67836 0 0.0
text 442332 442332 0 0.0
p6 all-clusters-app default (read/write) 2317928 2317928 0 0.0
.bss 115256 115256 0 0.0
.data 2424 2424 0 0.0
.heap 915664 915664 0 0.0
.text 1276192 1276192 0 0.0
lock-app default (read/write) 2229400 2229400 0 0.0
.bss 101552 101552 0 0.0
.data 2288 2288 0 0.0
.heap 929504 929504 0 0.0
.text 1187664 1187664 0 0.0
qpg lighting-app qpg6100+debug (read only) 496712 496712 0 0.0
(read/write) 114144 114144 0 0.0
.bss 79640 79640 0 0.0
.data 944 944 0 0.0
.text 491392 491392 0 0.0
lock-app qpg6100+debug (read only) 469316 469316 0 0.0
(read/write) 114144 114144 0 0.0
.bss 78552 78552 0 0.0
.data 896 896 0 0.0
.text 463996 463996 0 0.0
persistent-storage-app qpg6100+debug (read only) 108076 108076 0 0.0
(read/write) 114144 114144 0 0.0
.bss 36864 36864 0 0.0
.data 296 296 0 0.0
.text 102756 102756 0 0.0
telink lighting-app tlsr9518adk80d (read/write) 778454 778454 0 0.0
bss 79700 79700 0 0.0
noinit 37160 37160 0 0.0
text 541270 541270 0 0.0

@todo
Copy link

todo bot commented Nov 30, 2021

Handle PAA/PAI re-issue and enable below time validations

connectedhomeip/src/crypto/CHIPCryptoPALOpenSSL.cpp

Lines 1731 to 1741 in 4ef7efd

// TODO: Handle PAA/PAI re-issue and enable below time validations
// result = ASN1_TIME_compare(refNotBeforeTime, tbeNotBeforeTime);
// check if referenceCertificate is issued at or after tbeCertificate's notBefore timestamp
// VerifyOrExit(result >= 0, error = CHIP_ERROR_CERT_EXPIRED);
// result = ASN1_TIME_compare(refNotBeforeTime, tbeNotAfterTime);
// check if referenceCertificate is issued at or before tbeCertificate's notAfter timestamp
// VerifyOrExit(result <= 0, error = CHIP_ERROR_CERT_EXPIRED);
exit:
X509_free(x509ReferenceCertificate);

This comment was generated by todo based on a TODO comment in 4ef7efd in #12212. cc @vijs.

@todo
Copy link

todo bot commented Nov 30, 2021

Handle PAA/PAI re-issue and enable below time validation

connectedhomeip/src/crypto/CHIPCryptoPALmbedTLS.cpp

Lines 1313 to 1323 in 4ef7efd

// TODO: Handle PAA/PAI re-issue and enable below time validation
// check if referenceCertificate is issued at or after tbeCertificate's notBefore timestamp
// VerifyOrExit(IsTimeGreaterThanEqual(&refNotBeforeTime, &tbeNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
// check if referenceCertificate is issued at or before tbeCertificate's notAfter timestamp
// VerifyOrExit(IsTimeGreaterThanEqual(&tbeNotAfterTime, &refNotBeforeTime), error = CHIP_ERROR_CERT_EXPIRED);
exit:
_log_mbedTLS_error(result);
mbedtls_x509_crt_free(&mbedReferenceCertificate);
mbedtls_x509_crt_free(&mbedToBeEvaluatedCertificate);

This comment was generated by todo based on a TODO comment in 4ef7efd in #12212. cc @vijs.

@github-actions
Copy link

github-actions bot commented Nov 30, 2021
edited
Loading

PR #12212: Size comparison from 7e99454 to 4ef7efd

Full report (7 builds for efr32, p6, telink)
platform target config section 7e99454 4ef7efd change % change
efr32 lighting-app BRD4161A (read only) 763016 763016 0 0.0
(read/write) 120300 120300 0 0.0
.bss 118476 118476 0 0.0
.data 1820 1820 0 0.0
.text 763008 763008 0 0.0
BRD4161A+rpc (read only) 791512 791512 0 0.0
(read/write) 138596 138596 0 0.0
.bss 136676 136676 0 0.0
.data 1920 1920 0 0.0
.text 791504 791504 0 0.0
lock-app BRD4161A (read only) 736896 736896 0 0.0
(read/write) 118004 118004 0 0.0
.bss 116228 116228 0 0.0
.data 1776 1776 0 0.0
.text 736888 736888 0 0.0
window-app BRD4161A (read only) 739984 739984 0 0.0
(read/write) 118436 118436 0 0.0
.bss 116652 116652 0 0.0
.data 1784 1784 0 0.0
.text 739976 739976 0 0.0
p6 all-clusters-app default (read/write) 2317928 2317928 0 0.0
.bss 115256 115256 0 0.0
.data 2424 2424 0 0.0
.heap 915664 915664 0 0.0
.text 1276192 1276192 0 0.0
lock-app default (read/write) 2229400 2229400 0 0.0
.bss 101552 101552 0 0.0
.data 2288 2288 0 0.0
.heap 929504 929504 0 0.0
.text 1187664 1187664 0 0.0
telink lighting-app tlsr9518adk80d (read/write) 778454 778454 0 0.0
bss 79700 79700 0 0.0
noinit 37160 37160 0 0.0
text 541270 541270 0 0.0

@vijs vijs force-pushed the feature/da_time_validity branch from 2d30fd4 to 2ee24f5 Compare December 2, 2021 16:56
@github-actions
Copy link

github-actions bot commented Dec 2, 2021
edited
Loading

PR #12212: Size comparison from a5513c2 to 2ee24f5

Increases above 0.2%:

platform target config section a5513c2 2ee24f5 change % change
linux chip-tool debug .got 4464 4488 24 0.5
tv-app debug .got 4424 4448 24 0.5
Increases (2 builds for linux)
platform target config section a5513c2 2ee24f5 change % change
linux chip-tool debug (read only) 6589629 6591541 1912 0.0
(read/write) 201616 201648 32 0.0
.got 4464 4488 24 0.5
.text 5874181 5875781 1600 0.0
tv-app debug (read only) 1993585 1995489 1904 0.1
.got 4424 4448 24 0.5
.text 1672562 1674162 1600 0.1
Full report (23 builds for efr32, esp32, linux, mbed, p6, telink)
platform target config section a5513c2 2ee24f5 change % change
efr32 lighting-app BRD4161A (read only) 750760 750760 0 0.0
(read/write) 119976 119976 0 0.0
.bss 118160 118160 0 0.0
.data 1812 1812 0 0.0
.text 750752 750752 0 0.0
BRD4161A+rpc (read only) 779416 779416 0 0.0
(read/write) 138280 138280 0 0.0
.bss 136360 136360 0 0.0
.data 1920 1920 0 0.0
.text 779408 779408 0 0.0
lock-app BRD4161A (read only) 724616 724616 0 0.0
(read/write) 117680 117680 0 0.0
.bss 115912 115912 0 0.0
.data 1768 1768 0 0.0
.text 724608 724608 0 0.0
window-app BRD4161A (read only) 727928 727928 0 0.0
(read/write) 118104 118104 0 0.0
.bss 116328 116328 0 0.0
.data 1776 1776 0 0.0
.text 727920 727920 0 0.0
esp32 all-clusters-app c3devkit (read only) 846930 846930 0 0.0
(read/write) 1223314 1223314 0 0.0
.dram0.bss 56456 56456 0 0.0
.dram0.data 14036 14036 0 0.0
.flash.rodata 167360 167360 0 0.0
.flash.text 846930 846930 0 0.0
.iram0.text 61394 61394 0 0.0
m5stack (read only) 917483 917483 0 0.0
(read/write) 422308 422308 0 0.0
.dram0.bss 61848 61848 0 0.0
.dram0.data 34000 34000 0 0.0
.flash.rodata 195180 195180 0 0.0
.flash.text 912099 912099 0 0.0
.iram0.text 122943 122943 0 0.0
linux all-clusters-app debug (read only) 1832833 1832833 0 0.0
(read/write) 123648 123648 0 0.0
.bss 50640 50640 0 0.0
.data 1104 1104 0 0.0
.data.rel.ro 66624 66624 0 0.0
.dynamic 592 592 0 0.0
.got 4112 4112 0 0.0
.init 27 27 0 0.0
.init_array 552 552 0 0.0
.rodata 146261 146261 0 0.0
.text 1545202 1545202 0 0.0
bridge-app debug+rpc (read only) 1416061 1416061 0 0.0
(read/write) 73808 73808 0 0.0
.bss 36048 36048 0 0.0
.data 1680 1680 0 0.0
.data.rel.ro 31056 31056 0 0.0
.dynamic 592 592 0 0.0
.got 3984 3984 0 0.0
.init 27 27 0 0.0
.init_array 408 408 0 0.0
.rodata 119300 119300 0 0.0
.text 1193189 1193189 0 0.0
chip-tool debug (read only) 6589629 6591541 1912 0.0
(read/write) 201616 201648 32 0.0
.bss 34344 34344 0 0.0
.data 1008 1008 0 0.0
.data.rel.ro 160696 160696 0 0.0
.dynamic 592 592 0 0.0
.got 4464 4488 24 0.5
.init 27 27 0 0.0
.init_array 480 480 0 0.0
.rodata 306104 306104 0 0.0
.text 5874181 5875781 1600 0.0
lighting-app debug+rpc (read only) 1699865 1699865 0 0.0
(read/write) 106896 106896 0 0.0
.bss 41744 41744 0 0.0
.data 1264 1264 0 0.0
.data.rel.ro 58560 58560 0 0.0
.dynamic 608 608 0 0.0
.got 4136 4136 0 0.0
.init 27 27 0 0.0
.init_array 536 536 0 0.0
.rodata 139089 139089 0 0.0
.text 1419458 1419458 0 0.0
ota-provider-app debug (read only) 1377977 1377977 0 0.0
(read/write) 72264 72264 0 0.0
.bss 38624 38624 0 0.0
.data 912 912 0 0.0
.data.rel.ro 27592 27592 0 0.0
.dynamic 592 592 0 0.0
.got 4048 4048 0 0.0
.init 27 27 0 0.0
.init_array 448 448 0 0.0
.rodata 120776 120776 0 0.0
.text 1153394 1153394 0 0.0
ota-requestor-app debug (read only) 1478033 1478033 0 0.0
(read/write) 76160 76160 0 0.0
.bss 40736 40736 0 0.0
.data 976 976 0 0.0
.data.rel.ro 29304 29304 0 0.0
.dynamic 592 592 0 0.0
.got 4032 4032 0 0.0
.init 27 27 0 0.0
.init_array 472 472 0 0.0
.rodata 132720 132720 0 0.0
.text 1238066 1238066 0 0.0
shell debug (read only) 812841 812841 0 0.0
(read/write) 60264 60264 0 0.0
.bss 16904 16904 0 0.0
.data 240 240 0 0.0
.data.rel.ro 38656 38656 0 0.0
.dynamic 592 592 0 0.0
.got 3504 3504 0 0.0
.init 27 27 0 0.0
.init_array 344 344 0 0.0
.rodata 83506 83506 0 0.0
.text 623250 623250 0 0.0
tv-app debug (read only) 1993585 1995489 1904 0.1
(read/write) 316536 316536 0 0.0
.bss 246112 246112 0 0.0
.data 1504 1504 0 0.0
.data.rel.ro 63248 63248 0 0.0
.dynamic 592 592 0 0.0
.got 4424 4448 24 0.5
.init 27 27 0 0.0
.init_array 624 624 0 0.0
.rodata 169128 169128 0 0.0
.text 1672562 1674162 1600 0.1
mbed all-clusters-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2308000 2308000 0 0.0
.bss 179516 179516 0 0.0
.data 5168 5168 0 0.0
.heap 851760 851760 0 0.0
.text 1270576 1270576 0 0.0
lighting-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2294648 2294648 0 0.0
.bss 173208 173208 0 0.0
.data 5480 5480 0 0.0
.heap 857760 857760 0 0.0
.text 1257248 1257248 0 0.0
lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2267744 2267744 0 0.0
.bss 172024 172024 0 0.0
.data 5480 5480 0 0.0
.heap 858944 858944 0 0.0
.text 1230344 1230344 0 0.0
pigweed-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 1140008 1140008 0 0.0
.bss 11756 11756 0 0.0
.data 4376 4376 0 0.0
.heap 1020312 1020312 0 0.0
.text 103392 103392 0 0.0
shell CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2046576 2046576 0 0.0
.bss 156704 156704 0 0.0
.data 4864 4864 0 0.0
.heap 874880 874880 0 0.0
.text 1009176 1009176 0 0.0
p6 all-clusters-app default (read/write) 2337560 2337560 0 0.0
.bss 107696 107696 0 0.0
.data 2456 2456 0 0.0
.heap 923192 923192 0 0.0
.text 1295824 1295824 0 0.0
light-app default (read/write) 2277344 2277344 0 0.0
.bss 98428 98428 0 0.0
.data 2328 2328 0 0.0
.heap 932584 932584 0 0.0
.text 1235608 1235608 0 0.0
lock-app default (read/write) 2252680 2252680 0 0.0
.bss 97084 97084 0 0.0
.data 2288 2288 0 0.0
.heap 933968 933968 0 0.0
.text 1210944 1210944 0 0.0
telink lighting-app tlsr9518adk80d (read/write) 793890 793890 0 0.0
bss 80288 80288 0 0.0
noinit 37160 37160 0 0.0
text 554246 554246 0 0.0

@vijs vijs force-pushed the feature/da_time_validity branch from 2ee24f5 to dddeb59 Compare December 2, 2021 19:20
@github-actions
Copy link

github-actions bot commented Dec 2, 2021
edited
Loading

PR #12212: Size comparison from cea8769 to dddeb59

Increases above 0.2%:

platform target config section cea8769 dddeb59 change % change
linux chip-tool debug .got 4464 4488 24 0.5
tv-app debug .got 4424 4448 24 0.5
Increases (2 builds for linux)
platform target config section cea8769 dddeb59 change % change
linux chip-tool debug (read only) 6613133 6615045 1912 0.0
(read/write) 201744 201776 32 0.0
.got 4464 4488 24 0.5
.text 5896373 5897973 1600 0.0
tv-app debug (read only) 1995169 1997089 1920 0.1
.got 4424 4448 24 0.5
.text 1673618 1675234 1616 0.1
Full report (26 builds for efr32, esp32, linux, mbed, p6, qpg, telink)
platform target config section cea8769 dddeb59 change % change
efr32 lighting-app BRD4161A (read only) 751432 751432 0 0.0
(read/write) 120008 120008 0 0.0
.bss 118176 118176 0 0.0
.data 1828 1828 0 0.0
.text 751424 751424 0 0.0
BRD4161A+rpc (read only) 780080 780080 0 0.0
(read/write) 138312 138312 0 0.0
.bss 136376 136376 0 0.0
.data 1936 1936 0 0.0
.text 780072 780072 0 0.0
lock-app BRD4161A (read only) 725272 725272 0 0.0
(read/write) 117712 117712 0 0.0
.bss 115928 115928 0 0.0
.data 1784 1784 0 0.0
.text 725264 725264 0 0.0
window-app BRD4161A (read only) 728600 728600 0 0.0
(read/write) 118136 118136 0 0.0
.bss 116344 116344 0 0.0
.data 1792 1792 0 0.0
.text 728592 728592 0 0.0
esp32 all-clusters-app c3devkit (read only) 847268 847268 0 0.0
(read/write) 1223618 1223618 0 0.0
.dram0.bss 56472 56472 0 0.0
.dram0.data 14052 14052 0 0.0
.flash.rodata 167632 167632 0 0.0
.flash.text 847268 847268 0 0.0
.iram0.text 61394 61394 0 0.0
m5stack (read only) 917827 917827 0 0.0
(read/write) 422596 422596 0 0.0
.dram0.bss 61864 61864 0 0.0
.dram0.data 34016 34016 0 0.0
.flash.rodata 195436 195436 0 0.0
.flash.text 912443 912443 0 0.0
.iram0.text 122943 122943 0 0.0
linux all-clusters-app debug (read only) 1835665 1835665 0 0.0
(read/write) 123840 123840 0 0.0
.bss 50640 50640 0 0.0
.data 1120 1120 0 0.0
.data.rel.ro 66816 66816 0 0.0
.dynamic 592 592 0 0.0
.got 4112 4112 0 0.0
.init 27 27 0 0.0
.init_array 552 552 0 0.0
.rodata 146357 146357 0 0.0
.text 1547506 1547506 0 0.0
bridge-app debug+rpc (read only) 1417669 1417669 0 0.0
(read/write) 74032 74032 0 0.0
.bss 36048 36048 0 0.0
.data 1728 1728 0 0.0
.data.rel.ro 31248 31248 0 0.0
.dynamic 592 592 0 0.0
.got 3984 3984 0 0.0
.init 27 27 0 0.0
.init_array 408 408 0 0.0
.rodata 119404 119404 0 0.0
.text 1194261 1194261 0 0.0
chip-tool debug (read only) 6613133 6615045 1912 0.0
(read/write) 201744 201776 32 0.0
.bss 34344 34344 0 0.0
.data 1024 1024 0 0.0
.data.rel.ro 160824 160824 0 0.0
.dynamic 592 592 0 0.0
.got 4464 4488 24 0.5
.init 27 27 0 0.0
.init_array 480 480 0 0.0
.rodata 307128 307128 0 0.0
.text 5896373 5897973 1600 0.0
lighting-app debug+rpc (read only) 1701465 1701465 0 0.0
(read/write) 107088 107088 0 0.0
.bss 41744 41744 0 0.0
.data 1280 1280 0 0.0
.data.rel.ro 58752 58752 0 0.0
.dynamic 608 608 0 0.0
.got 4136 4136 0 0.0
.init 27 27 0 0.0
.init_array 536 536 0 0.0
.rodata 139185 139185 0 0.0
.text 1420530 1420530 0 0.0
ota-provider-app debug (read only) 1378201 1378201 0 0.0
(read/write) 72264 72264 0 0.0
.bss 38624 38624 0 0.0
.data 928 928 0 0.0
.data.rel.ro 27592 27592 0 0.0
.dynamic 592 592 0 0.0
.got 4048 4048 0 0.0
.init 27 27 0 0.0
.init_array 448 448 0 0.0
.rodata 120680 120680 0 0.0
.text 1153714 1153714 0 0.0
ota-requestor-app debug (read only) 1478225 1478225 0 0.0
(read/write) 76160 76160 0 0.0
.bss 40736 40736 0 0.0
.data 992 992 0 0.0
.data.rel.ro 29304 29304 0 0.0
.dynamic 592 592 0 0.0
.got 4032 4032 0 0.0
.init 27 27 0 0.0
.init_array 472 472 0 0.0
.rodata 132592 132592 0 0.0
.text 1238386 1238386 0 0.0
shell debug (read only) 813129 813129 0 0.0
(read/write) 60264 60264 0 0.0
.bss 16904 16904 0 0.0
.data 256 256 0 0.0
.data.rel.ro 38656 38656 0 0.0
.dynamic 592 592 0 0.0
.got 3504 3504 0 0.0
.init 27 27 0 0.0
.init_array 344 344 0 0.0
.rodata 83506 83506 0 0.0
.text 623538 623538 0 0.0
tv-app debug (read only) 1995169 1997089 1920 0.1
(read/write) 316760 316760 0 0.0
.bss 246112 246112 0 0.0
.data 1520 1520 0 0.0
.data.rel.ro 63440 63440 0 0.0
.dynamic 592 592 0 0.0
.got 4424 4448 24 0.5
.init 27 27 0 0.0
.init_array 624 624 0 0.0
.rodata 169224 169224 0 0.0
.text 1673618 1675234 1616 0.1
mbed all-clusters-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2308576 2308576 0 0.0
.bss 179532 179532 0 0.0
.data 5184 5184 0 0.0
.heap 851728 851728 0 0.0
.text 1271152 1271152 0 0.0
lighting-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2295096 2295096 0 0.0
.bss 173224 173224 0 0.0
.data 5496 5496 0 0.0
.heap 857728 857728 0 0.0
.text 1257696 1257696 0 0.0
lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2268128 2268128 0 0.0
.bss 172040 172040 0 0.0
.data 5496 5496 0 0.0
.heap 858912 858912 0 0.0
.text 1230728 1230728 0 0.0
pigweed-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 1140008 1140008 0 0.0
.bss 11756 11756 0 0.0
.data 4376 4376 0 0.0
.heap 1020312 1020312 0 0.0
.text 103392 103392 0 0.0
shell CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2046576 2046576 0 0.0
.bss 156704 156704 0 0.0
.data 4872 4872 0 0.0
.heap 874872 874872 0 0.0
.text 1009176 1009176 0 0.0
p6 all-clusters-app default (read/write) 2338416 2338416 0 0.0
.bss 107720 107720 0 0.0
.data 2456 2456 0 0.0
.heap 923168 923168 0 0.0
.text 1296680 1296680 0 0.0
light-app default (read/write) 2278016 2278016 0 0.0
.bss 98452 98452 0 0.0
.data 2336 2336 0 0.0
.heap 932552 932552 0 0.0
.text 1236280 1236280 0 0.0
lock-app default (read/write) 2253368 2253368 0 0.0
.bss 97108 97108 0 0.0
.data 2296 2296 0 0.0
.heap 933936 933936 0 0.0
.text 1211632 1211632 0 0.0
qpg lighting-app qpg6100+debug (read only) 510408 510408 0 0.0
(read/write) 122332 122332 0 0.0
.bss 80240 80240 0 0.0
.data 964 964 0 0.0
.text 505088 505088 0 0.0
lock-app qpg6100+debug (read only) 483232 483232 0 0.0
(read/write) 122332 122332 0 0.0
.bss 79152 79152 0 0.0
.data 916 916 0 0.0
.text 477912 477912 0 0.0
persistent-storage-app qpg6100+debug (read only) 108208 108208 0 0.0
(read/write) 122332 122332 0 0.0
.bss 36696 36696 0 0.0
.data 292 292 0 0.0
.text 102888 102888 0 0.0
telink lighting-app tlsr9518adk80d (read/write) 794430 794430 0 0.0
bss 80304 80304 0 0.0
noinit 37160 37160 0 0.0
text 554474 554474 0 0.0

@vijs vijs force-pushed the feature/da_time_validity branch from dddeb59 to cb3698e Compare December 2, 2021 23:14
@github-actions
Copy link

github-actions bot commented Dec 2, 2021
edited
Loading

PR #12212: Size comparison from 7cba51d to cb3698e

Increases above 0.2%:

platform target config section 7cba51d cb3698e change % change
linux chip-tool debug .got 4464 4488 24 0.5
tv-app debug .got 4424 4448 24 0.5
Increases (2 builds for linux)
platform target config section 7cba51d cb3698e change % change
linux chip-tool debug (read only) 6618837 6620765 1928 0.0
(read/write) 202128 202160 32 0.0
.got 4464 4488 24 0.5
.text 5901429 5903045 1616 0.0
tv-app debug (read only) 2000921 2002841 1920 0.1
(read/write) 317616 317648 32 0.0
.got 4424 4448 24 0.5
.text 1678722 1680338 1616 0.1
Full report (39 builds for efr32, esp32, k32w, linux, mbed, nrfconnect, p6, qpg, telink)
platform target config section 7cba51d cb3698e change % change
efr32 lighting-app BRD4161A (read only) 751552 751552 0 0.0
(read/write) 120032 120032 0 0.0
.bss 118200 118200 0 0.0
.data 1828 1828 0 0.0
.text 751544 751544 0 0.0
BRD4161A+rpc (read only) 780216 780216 0 0.0
(read/write) 138336 138336 0 0.0
.bss 136400 136400 0 0.0
.data 1936 1936 0 0.0
.text 780208 780208 0 0.0
lock-app BRD4161A (read only) 725392 725392 0 0.0
(read/write) 117736 117736 0 0.0
.bss 115952 115952 0 0.0
.data 1784 1784 0 0.0
.text 725384 725384 0 0.0
window-app BRD4161A (read only) 728720 728720 0 0.0
(read/write) 118160 118160 0 0.0
.bss 116368 116368 0 0.0
.data 1792 1792 0 0.0
.text 728712 728712 0 0.0
esp32 all-clusters-app c3devkit (read only) 847808 847808 0 0.0
(read/write) 1223826 1223826 0 0.0
.dram0.bss 56576 56576 0 0.0
.dram0.data 14052 14052 0 0.0
.flash.rodata 167744 167744 0 0.0
.flash.text 847808 847808 0 0.0
.iram0.text 61394 61394 0 0.0
m5stack (read only) 918399 918399 0 0.0
(read/write) 422804 422804 0 0.0
.dram0.bss 61960 61960 0 0.0
.dram0.data 34016 34016 0 0.0
.flash.rodata 195548 195548 0 0.0
.flash.text 913015 913015 0 0.0
.iram0.text 122943 122943 0 0.0
k32w lighting-app k32w061+se05x+release (read/write) 728720 728720 0 0.0
.bss 79304 79304 0 0.0
.data 1860 1860 0 0.0
.text 641756 641756 0 0.0
lock-app k32w061+debug (read/write) 617704 617704 0 0.0
.bss 69744 69744 0 0.0
.data 1824 1824 0 0.0
.text 540336 540336 0 0.0
shell k32w061+debug (read/write) 683604 683604 0 0.0
.bss 81400 81400 0 0.0
.data 1796 1796 0 0.0
.text 594608 594608 0 0.0
linux all-clusters-app debug (read only) 1842697 1842697 0 0.0
(read/write) 124256 124256 0 0.0
.bss 50768 50768 0 0.0
.data 1120 1120 0 0.0
.data.rel.ro 67088 67088 0 0.0
.dynamic 592 592 0 0.0
.got 4112 4112 0 0.0
.init 27 27 0 0.0
.init_array 552 552 0 0.0
.rodata 146453 146453 0 0.0
.text 1553890 1553890 0 0.0
bridge-app debug+rpc (read only) 1423037 1423037 0 0.0
(read/write) 74416 74416 0 0.0
.bss 36144 36144 0 0.0
.data 1728 1728 0 0.0
.data.rel.ro 31528 31528 0 0.0
.dynamic 592 592 0 0.0
.got 3984 3984 0 0.0
.init 27 27 0 0.0
.init_array 408 408 0 0.0
.rodata 119500 119500 0 0.0
.text 1198981 1198981 0 0.0
chip-tool debug (read only) 6618837 6620765 1928 0.0
(read/write) 202128 202160 32 0.0
.bss 34440 34440 0 0.0
.data 1024 1024 0 0.0
.data.rel.ro 161112 161112 0 0.0
.dynamic 592 592 0 0.0
.got 4464 4488 24 0.5
.init 27 27 0 0.0
.init_array 480 480 0 0.0
.rodata 307224 307224 0 0.0
.text 5901429 5903045 1616 0.0
lighting-app debug+rpc (read only) 1707121 1707121 0 0.0
(read/write) 107408 107408 0 0.0
.bss 41808 41808 0 0.0
.data 1280 1280 0 0.0
.data.rel.ro 59024 59024 0 0.0
.dynamic 608 608 0 0.0
.got 4136 4136 0 0.0
.init 27 27 0 0.0
.init_array 536 536 0 0.0
.rodata 139281 139281 0 0.0
.text 1425538 1425538 0 0.0
ota-provider-app debug (read only) 1383857 1383857 0 0.0
(read/write) 72648 72648 0 0.0
.bss 38720 38720 0 0.0
.data 928 928 0 0.0
.data.rel.ro 27880 27880 0 0.0
.dynamic 592 592 0 0.0
.got 4048 4048 0 0.0
.init 27 27 0 0.0
.init_array 448 448 0 0.0
.rodata 120776 120776 0 0.0
.text 1158722 1158722 0 0.0
ota-requestor-app debug (read only) 1483945 1483945 0 0.0
(read/write) 76512 76512 0 0.0
.bss 40832 40832 0 0.0
.data 992 992 0 0.0
.data.rel.ro 29576 29576 0 0.0
.dynamic 592 592 0 0.0
.got 4032 4032 0 0.0
.init 27 27 0 0.0
.init_array 472 472 0 0.0
.rodata 132688 132688 0 0.0
.text 1243458 1243458 0 0.0
shell debug (read only) 818561 818561 0 0.0
(read/write) 60584 60584 0 0.0
.bss 16936 16936 0 0.0
.data 256 256 0 0.0
.data.rel.ro 38936 38936 0 0.0
.dynamic 592 592 0 0.0
.got 3504 3504 0 0.0
.init 27 27 0 0.0
.init_array 344 344 0 0.0
.rodata 83506 83506 0 0.0
.text 628418 628418 0 0.0
tv-app debug (read only) 2000921 2002841 1920 0.1
(read/write) 317616 317648 32 0.0
.bss 246712 246712 0 0.0
.data 1520 1520 0 0.0
.data.rel.ro 63720 63720 0 0.0
.dynamic 592 592 0 0.0
.got 4424 4448 24 0.5
.init 27 27 0 0.0
.init_array 624 624 0 0.0
.rodata 169320 169320 0 0.0
.text 1678722 1680338 1616 0.1
mbed all-clusters-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2309264 2309264 0 0.0
.bss 179628 179628 0 0.0
.data 5184 5184 0 0.0
.heap 851632 851632 0 0.0
.text 1271840 1271840 0 0.0
lighting-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2295592 2295592 0 0.0
.bss 173272 173272 0 0.0
.data 5496 5496 0 0.0
.heap 857680 857680 0 0.0
.text 1258192 1258192 0 0.0
lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2268688 2268688 0 0.0
.bss 172088 172088 0 0.0
.data 5496 5496 0 0.0
.heap 858864 858864 0 0.0
.text 1231288 1231288 0 0.0
pigweed-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 1140008 1140008 0 0.0
.bss 11756 11756 0 0.0
.data 4376 4376 0 0.0
.heap 1020312 1020312 0 0.0
.text 103392 103392 0 0.0
shell CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2046968 2046968 0 0.0
.bss 156732 156732 0 0.0
.data 4872 4872 0 0.0
.heap 874840 874840 0 0.0
.text 1009568 1009568 0 0.0
nrfconnect lighting-app nrf52840dk_nrf52840 (read/write) 891475 891475 0 0.0
bss 113752 113752 0 0.0
rodata 99412 99412 0 0.0
text 602752 602752 0 0.0
nrf52840dk_nrf52840+rpc (read/write) 854835 854835 0 0.0
bss 110100 110100 0 0.0
rodata 90772 90772 0 0.0
text 577748 577748 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 817370 817370 0 0.0
bss 115124 115124 0 0.0
rodata 94668 94668 0 0.0
text 533088 533088 0 0.0
lock-app nrf52840dk_nrf52840 (read/write) 862331 862331 0 0.0
bss 110788 110788 0 0.0
rodata 95148 95148 0 0.0
text 581004 581004 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 788470 788470 0 0.0
bss 112200 112200 0 0.0
rodata 90440 90440 0 0.0
text 511432 511432 0 0.0
pigweed-app nrf52840dk_nrf52840 (read/write) 497463 497463 0 0.0
bss 51820 51820 0 0.0
rodata 45852 45852 0 0.0
text 339492 339492 0 0.0
pump-app nrf52840dk_nrf52840 (read/write) 868331 868331 0 0.0
bss 110924 110924 0 0.0
rodata 96884 96884 0 0.0
text 585068 585068 0 0.0
pump-controller-app nrf52840dk_nrf52840 (read/write) 861411 861411 0 0.0
bss 110804 110804 0 0.0
rodata 95020 95020 0 0.0
text 580128 580128 0 0.0
shell nrf52840dk_nrf52840 (read/write) 779895 779895 0 0.0
bss 109696 109696 0 0.0
rodata 73796 73796 0 0.0
text 521908 521908 0 0.0
nrf5340dk_nrf5340_cpuapp (read/write) 694938 694938 0 0.0
bss 110680 110680 0 0.0
rodata 68436 68436 0 0.0
text 442512 442512 0 0.0
p6 all-clusters-app default (read/write) 2339520 2339520 0 0.0
.bss 107820 107820 0 0.0
.data 2456 2456 0 0.0
.heap 923064 923064 0 0.0
.text 1297784 1297784 0 0.0
light-app default (read/write) 2278872 2278872 0 0.0
.bss 98504 98504 0 0.0
.data 2336 2336 0 0.0
.heap 932504 932504 0 0.0
.text 1237136 1237136 0 0.0
lock-app default (read/write) 2254224 2254224 0 0.0
.bss 97160 97160 0 0.0
.data 2296 2296 0 0.0
.heap 933888 933888 0 0.0
.text 1212488 1212488 0 0.0
qpg lighting-app qpg6100+debug (read only) 510496 510496 0 0.0
(read/write) 122332 122332 0 0.0
.bss 80264 80264 0 0.0
.data 964 964 0 0.0
.text 505176 505176 0 0.0
lock-app qpg6100+debug (read only) 483320 483320 0 0.0
(read/write) 122332 122332 0 0.0
.bss 79176 79176 0 0.0
.data 916 916 0 0.0
.text 478000 478000 0 0.0
persistent-storage-app qpg6100+debug (read only) 108208 108208 0 0.0
(read/write) 122332 122332 0 0.0
.bss 36696 36696 0 0.0
.data 292 292 0 0.0
.text 102888 102888 0 0.0
telink lighting-app tlsr9518adk80d (read/write) 794550 794550 0 0.0
bss 80328 80328 0 0.0
noinit 37160 37160 0 0.0
text 554522 554522 0 0.0

@vijs vijs merged commit 1f5ec95 into project-chip:master Dec 3, 2021
This was referenced Dec 3, 2021
Closed
Closed
@vijs vijs deleted the feature/da_time_validity branch December 3, 2021 15:35
billwatersiii pushed a commit to billwatersiii/connectedhomeip that referenced this pull request Dec 3, 2021
@vijs @billwatersiii
Added time validity checking to Device Attestation Verifier (project-…
384a0a5 
…chip#12212)

* Added time validity checking to Device Attestation Verifier

* Added new methods to validate a certificate and implemented review comments

* Renamed IsCertificateValid to IsCertificateValidAtCurrentTime

* Removed "invalid issuing timestamp" test

* Disabled cert validation test in certain platforms
@harimau-qirex harimau-qirex mentioned this pull request Jan 31, 2022
Closed
Emill
Emill reviewed Mar 4, 2024
View reviewed changes
src/crypto/CHIPCryptoPALmbedTLS.cpp
Comment on lines +1348 to +1354
// check if certificate's notBefore timestamp is earlier than or equal to current time.
result = mbedtls_x509_time_is_past(&mbedCertificate.valid_from);
VerifyOrExit(result == 1, error = CHIP_ERROR_CERT_EXPIRED);

// check if certificate's notAfter timestamp is later than current time.
result = mbedtls_x509_time_is_future(&mbedCertificate.valid_to);
VerifyOrExit(result == 1, error = CHIP_ERROR_CERT_EXPIRED);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The usage of mbedtls_x509_time_is_past and mbedtls_x509_time_is_past are incorrect.

E.g. for mbedtls_x509_time_is_past, the documentation says:

 * \note           Intended usage is "if( is_past( valid_to ) ) ERROR".
 *                 Hence the return value of 1 if on internal errors.
...
 * \return         1 if the given time is in the past or an error occurred,
 *                 0 otherwise.

Therefore, if an error occurred, we accept the validity.

Correct should be something like this:

// check if certificate's notBefore timestamp is earlier than or equal to current time.
result = mbedtls_x509_time_is_future(&mbedCertificate.CHIP_CRYPTO_PAL_PRIVATE_X509(valid_from));
VerifyOrExit(result == 0, error = CHIP_ERROR_CERT_EXPIRED);

// check if certificate's notAfter timestamp is later than current time.
result = mbedtls_x509_time_is_past(&mbedCertificate.CHIP_CRYPTO_PAL_PRIVATE_X509(valid_to));
VerifyOrExit(result == 0, error = CHIP_ERROR_CERT_EXPIRED);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Emill Emill Emill left review comments

@woody-apple woody-apple woody-apple approved these changes

@hawk248 hawk248 hawk248 approved these changes

@emargolis emargolis emargolis approved these changes

@tcarmelveilleux tcarmelveilleux tcarmelveilleux approved these changes

@andy31415 andy31415 Awaiting requested review from andy31415

@cecille cecille Awaiting requested review from cecille

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@chulspro chulspro Awaiting requested review from chulspro

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@electrocucaracha electrocucaracha Awaiting requested review from electrocucaracha

@jelderton jelderton Awaiting requested review from jelderton

@jepenven-silabs jepenven-silabs Awaiting requested review from jepenven-silabs

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@kpschoedel kpschoedel Awaiting requested review from kpschoedel

@LuDuda LuDuda Awaiting requested review from LuDuda

@mlepage-google mlepage-google Awaiting requested review from mlepage-google

@mrjerryjohns mrjerryjohns Awaiting requested review from mrjerryjohns

@msandstedt msandstedt Awaiting requested review from msandstedt

@mspang mspang Awaiting requested review from mspang

@saurabhst saurabhst Awaiting requested review from saurabhst

@selissia selissia Awaiting requested review from selissia

@tecimovic tecimovic Awaiting requested review from tecimovic

@wbschiller wbschiller Awaiting requested review from wbschiller

@yufengwangca yufengwangca Awaiting requested review from yufengwangca

@yunhanw-google yunhanw-google Awaiting requested review from yunhanw-google

Assignees
No one assigned
Labels
crypto review - approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vijs @woody-apple @tcarmelveilleux @Emill @emargolis @hawk248