Fix generation of certificates without an expiration date. (#26402)

bzbarsky-apple · pull[bot] · commit 11380767e9d1 · 2023-07-07T20:09:21.000Z
* Fix generation of certificates without an expiration date.

Since Matter encodes "no expiration" as 0, we can't just check that notAfter &gt;=
notBefore; we have to check for the case when notAfter is "no expiration"
separately.

* Add unit test for no defined notAfter time.

* Add unit tests for conversion of certs with no defined notAfter time.
diff --git a/src/credentials/CHIPCert.cpp b/src/credentials/CHIPCert.cpp
@@ -1123,7 +1123,7 @@ DLL_EXPORT CHIP_ERROR ChipEpochToASN1Time(uint32_t epochTime, chip::ASN1::ASN1Un
     // times, which in consuming code can create a conversion from CHIP epoch 0 seconds to 99991231235959Z
     // for NotBefore, which is not conventional.
     //
-    // If an original X509 certificate encloses a NotBefore time that this the CHIP Epoch itself, 2000-01-01
+    // If an original X509 certificate encloses a NotBefore time that is the CHIP Epoch itself, 2000-01-01
     // 00:00:00, the resultant X509 certificate in a conversion back from CHIP TLV format using this time
     // conversion method will instead enclose the NotBefore time 99991231235959Z, which will invalidiate the
     // TBS signature.  Thus, certificates with this specific attribute are not usable with this code.
diff --git a/src/credentials/GenerateChipX509Cert.cpp b/src/credentials/GenerateChipX509Cert.cpp
@@ -330,7 +330,8 @@ CHIP_ERROR EncodeTBSCert(const X509CertRequestParams & requestParams, const Cryp
     bool isCA;
 
     VerifyOrReturnError(requestParams.SerialNumber >= 0, CHIP_ERROR_INVALID_ARGUMENT);
-    VerifyOrReturnError(requestParams.ValidityEnd >= requestParams.ValidityStart, CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(requestParams.ValidityEnd == kNullCertTime || requestParams.ValidityEnd >= requestParams.ValidityStart,
+                        CHIP_ERROR_INVALID_ARGUMENT);
 
     ReturnErrorOnFailure(requestParams.SubjectDN.GetCertType(certType));
     isCA = (certType == kCertType_ICA || certType == kCertType_Root);
diff --git a/src/credentials/tests/CHIPCert_test_vectors.cpp b/src/credentials/tests/CHIPCert_test_vectors.cpp
@@ -35,6 +35,7 @@ namespace TestCerts {
 extern const uint8_t gTestCerts[] = {
     TestCert::kRoot01,
     TestCert::kRoot02,
+    TestCert::kRoot03,
     TestCert::kICA01,
     TestCert::kICA02,
     TestCert::kICA01_1,
@@ -78,6 +79,7 @@ CHIP_ERROR GetTestCert(uint8_t certType, BitFlags<TestCertLoadFlags> certLoadFla
 
     SELECT_CERT(Root01);
     SELECT_CERT(Root02);
+    SELECT_CERT(Root03);
     SELECT_CERT(ICA01);
     SELECT_CERT(ICA02);
     SELECT_CERT(ICA01_1);
@@ -114,6 +116,7 @@ const char * GetTestCertName(uint8_t certType)
 
     NAME_CERT(Root01);
     NAME_CERT(Root02);
+    NAME_CERT(Root03);
     NAME_CERT(ICA01);
     NAME_CERT(ICA02);
     NAME_CERT(ICA01_1);
@@ -150,6 +153,7 @@ CHIP_ERROR GetTestCertPubkey(uint8_t certType, ByteSpan & pubkey)
 
     SELECT_PUBKEY(Root01);
     SELECT_PUBKEY(Root02);
+    SELECT_PUBKEY(Root03);
     SELECT_PUBKEY(ICA01);
     SELECT_PUBKEY(ICA02);
     SELECT_PUBKEY(ICA01_1);
@@ -189,6 +193,7 @@ CHIP_ERROR GetTestCertSKID(uint8_t certType, ByteSpan & skid)
 
     SELECT_SKID(Root01);
     SELECT_SKID(Root02);
+    SELECT_SKID(Root03);
     SELECT_SKID(ICA01);
     SELECT_SKID(ICA02);
     SELECT_SKID(ICA01_1);
@@ -228,6 +233,7 @@ CHIP_ERROR GetTestCertAKID(uint8_t certType, ByteSpan & akid)
 
     SELECT_AKID(Root01);
     SELECT_AKID(Root02);
+    SELECT_AKID(Root03);
     SELECT_AKID(ICA01);
     SELECT_AKID(ICA02);
     SELECT_AKID(ICA01_1);
@@ -557,6 +563,140 @@ extern const uint8_t sTestCert_Root02_AuthorityKeyId[] = {
 
 extern const size_t sTestCert_Root02_AuthorityKeyId_Len = sizeof(sTestCert_Root02_AuthorityKeyId);
 
+/**************  Test Root03 Certificate  **************
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7744074172075392897 (0x6b787a6dfcd4bf81)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 1.3.6.1.4.1.37244.1.4 = CACACACA00000002, 1.3.6.1.4.1.37244.1.5 = FAB000000000001D
+        Validity
+            Not Before: Oct 15 14:23:43 2020 GMT
+            Not After : Dec 31 23:59:59 9999 GMT
+        Subject: 1.3.6.1.4.1.37244.1.4 = CACACACA00000002, 1.3.6.1.4.1.37244.1.5 = FAB000000000001D
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:71:05:40:8a:85:a9:d9:a0:8a:f8:b7:70:77:db:
+                    38:8b:7e:a4:38:97:dc:df:d3:16:f2:4f:0a:7e:71:
+                    de:69:a5:0c:44:55:0c:0c:9d:a2:36:1c:d8:29:e5:
+                    5f:dd:63:cc:f5:79:ed:44:e0:22:08:b4:f8:25:fc:
+                    d6:f0:68:2c:02
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:1
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier:
+                FF:87:F3:CD:D2:06:9A:EF:8D:5D:32:EB:A3:16:3B:9E:B0:0A:00:29
+            X509v3 Authority Key Identifier:
+                keyid:FF:87:F3:CD:D2:06:9A:EF:8D:5D:32:EB:A3:16:3B:9E:B0:0A:00:29
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:75:f6:70:eb:35:45:b9:97:86:46:67:99:eb:ea:
+         40:51:a3:41:af:2a:9b:67:7f:d7:1b:4c:3d:4e:68:09:3b:66:
+         02:20:5f:28:42:cb:7e:d3:19:9c:9a:d7:c9:62:79:47:a1:8a:
+         92:16:8a:fc:d6:5f:3e:9c:af:6e:ed:fa:9e:60:c5:2f
+
+-----BEGIN CERTIFICATE-----
+MIIB5TCCAYygAwIBAgIIa3h6bfzUv4EwCgYIKoZIzj0EAwIwRDEgMB4GCisGAQQB
+gqJ8AQQMEENBQ0FDQUNBMDAwMDAwMDIxIDAeBgorBgEEAYKifAEFDBBGQUIwMDAw
+MDAwMDAwMDFEMCAXDTIwMTAxNTE0MjM0M1oYDzk5OTkxMjMxMjM1OTU5WjBEMSAw
+HgYKKwYBBAGConwBBAwQQ0FDQUNBQ0EwMDAwMDAwMjEgMB4GCisGAQQBgqJ8AQUM
+EEZBQjAwMDAwMDAwMDAwMUQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARxBUCK
+hanZoIr4t3B32ziLfqQ4l9zf0xbyTwp+cd5ppQxEVQwMnaI2HNgp5V/dY8z1ee1E
+4CIItPgl/NbwaCwCo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQE
+AwIBBjAdBgNVHQ4EFgQU/4fzzdIGmu+NXTLroxY7nrAKACkwHwYDVR0jBBgwFoAU
+/4fzzdIGmu+NXTLroxY7nrAKACkwCgYIKoZIzj0EAwIDRwAwRAIgdfZw6zVFuZeG
+RmeZ6+pAUaNBryqbZ3/XG0w9TmgJO2YCIF8oQst+0xmcmtfJYnlHoYqSFor81l8+
+nK9u7fqeYMUv
+-----END CERTIFICATE-----
+
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHDnbQApKIHktaW8tOzQL/XkdbwUid5uw+jWPFo/LlqHoAoGCCqGSM49
+AwEHoUQDQgAEcQVAioWp2aCK+Ldwd9s4i36kOJfc39MW8k8KfnHeaaUMRFUMDJ2i
+NhzYKeVf3WPM9XntROAiCLT4JfzW8GgsAg==
+-----END EC PRIVATE KEY-----
+*/
+
+extern const uint8_t sTestCert_Root03_Chip[] = {
+    0x15, 0x30, 0x01, 0x08, 0x6b, 0x78, 0x7a, 0x6d, 0xfc, 0xd4, 0xbf, 0x81, 0x24, 0x02, 0x01, 0x37, 0x03, 0x27, 0x14, 0x02, 0x00,
+    0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x26, 0x04, 0xef, 0x17,
+    0x1b, 0x27, 0x24, 0x05, 0x00, 0x37, 0x06, 0x27, 0x14, 0x02, 0x00, 0x00, 0x00, 0xca, 0xca, 0xca, 0xca, 0x27, 0x15, 0x1d, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0xb0, 0xfa, 0x18, 0x24, 0x07, 0x01, 0x24, 0x08, 0x01, 0x30, 0x09, 0x41, 0x04, 0x71, 0x05, 0x40, 0x8a,
+    0x85, 0xa9, 0xd9, 0xa0, 0x8a, 0xf8, 0xb7, 0x70, 0x77, 0xdb, 0x38, 0x8b, 0x7e, 0xa4, 0x38, 0x97, 0xdc, 0xdf, 0xd3, 0x16, 0xf2,
+    0x4f, 0x0a, 0x7e, 0x71, 0xde, 0x69, 0xa5, 0x0c, 0x44, 0x55, 0x0c, 0x0c, 0x9d, 0xa2, 0x36, 0x1c, 0xd8, 0x29, 0xe5, 0x5f, 0xdd,
+    0x63, 0xcc, 0xf5, 0x79, 0xed, 0x44, 0xe0, 0x22, 0x08, 0xb4, 0xf8, 0x25, 0xfc, 0xd6, 0xf0, 0x68, 0x2c, 0x02, 0x37, 0x0a, 0x35,
+    0x01, 0x29, 0x01, 0x24, 0x02, 0x01, 0x18, 0x24, 0x02, 0x60, 0x30, 0x04, 0x14, 0xff, 0x87, 0xf3, 0xcd, 0xd2, 0x06, 0x9a, 0xef,
+    0x8d, 0x5d, 0x32, 0xeb, 0xa3, 0x16, 0x3b, 0x9e, 0xb0, 0x0a, 0x00, 0x29, 0x30, 0x05, 0x14, 0xff, 0x87, 0xf3, 0xcd, 0xd2, 0x06,
+    0x9a, 0xef, 0x8d, 0x5d, 0x32, 0xeb, 0xa3, 0x16, 0x3b, 0x9e, 0xb0, 0x0a, 0x00, 0x29, 0x18, 0x30, 0x0b, 0x40, 0x75, 0xf6, 0x70,
+    0xeb, 0x35, 0x45, 0xb9, 0x97, 0x86, 0x46, 0x67, 0x99, 0xeb, 0xea, 0x40, 0x51, 0xa3, 0x41, 0xaf, 0x2a, 0x9b, 0x67, 0x7f, 0xd7,
+    0x1b, 0x4c, 0x3d, 0x4e, 0x68, 0x09, 0x3b, 0x66, 0x5f, 0x28, 0x42, 0xcb, 0x7e, 0xd3, 0x19, 0x9c, 0x9a, 0xd7, 0xc9, 0x62, 0x79,
+    0x47, 0xa1, 0x8a, 0x92, 0x16, 0x8a, 0xfc, 0xd6, 0x5f, 0x3e, 0x9c, 0xaf, 0x6e, 0xed, 0xfa, 0x9e, 0x60, 0xc5, 0x2f, 0x18,
+};
+
+extern const size_t sTestCert_Root03_Chip_Len = sizeof(sTestCert_Root03_Chip);
+
+extern const uint8_t sTestCert_Root03_DER[] = {
+    0x30, 0x82, 0x01, 0xe5, 0x30, 0x82, 0x01, 0x8c, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x6b, 0x78, 0x7a, 0x6d, 0xfc, 0xd4,
+    0xbf, 0x81, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x44, 0x31, 0x20, 0x30, 0x1e, 0x06,
+    0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x01, 0x04, 0x0c, 0x10, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2,
+    0x7c, 0x01, 0x05, 0x0c, 0x10, 0x46, 0x41, 0x42, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31, 0x44,
+    0x30, 0x20, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x30, 0x31, 0x35, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, 0x39, 0x39,
+    0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x44, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x0a,
+    0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c, 0x01, 0x04, 0x0c, 0x10, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c,
+    0x01, 0x05, 0x0c, 0x10, 0x46, 0x41, 0x42, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31, 0x44, 0x30,
+    0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
+    0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x05, 0x40, 0x8a, 0x85, 0xa9, 0xd9, 0xa0, 0x8a, 0xf8, 0xb7, 0x70, 0x77, 0xdb, 0x38, 0x8b,
+    0x7e, 0xa4, 0x38, 0x97, 0xdc, 0xdf, 0xd3, 0x16, 0xf2, 0x4f, 0x0a, 0x7e, 0x71, 0xde, 0x69, 0xa5, 0x0c, 0x44, 0x55, 0x0c, 0x0c,
+    0x9d, 0xa2, 0x36, 0x1c, 0xd8, 0x29, 0xe5, 0x5f, 0xdd, 0x63, 0xcc, 0xf5, 0x79, 0xed, 0x44, 0xe0, 0x22, 0x08, 0xb4, 0xf8, 0x25,
+    0xfc, 0xd6, 0xf0, 0x68, 0x2c, 0x02, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
+    0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04,
+    0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xff, 0x87, 0xf3, 0xcd, 0xd2, 0x06,
+    0x9a, 0xef, 0x8d, 0x5d, 0x32, 0xeb, 0xa3, 0x16, 0x3b, 0x9e, 0xb0, 0x0a, 0x00, 0x29, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
+    0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xff, 0x87, 0xf3, 0xcd, 0xd2, 0x06, 0x9a, 0xef, 0x8d, 0x5d, 0x32, 0xeb, 0xa3, 0x16, 0x3b,
+    0x9e, 0xb0, 0x0a, 0x00, 0x29, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30,
+    0x44, 0x02, 0x20, 0x75, 0xf6, 0x70, 0xeb, 0x35, 0x45, 0xb9, 0x97, 0x86, 0x46, 0x67, 0x99, 0xeb, 0xea, 0x40, 0x51, 0xa3, 0x41,
+    0xaf, 0x2a, 0x9b, 0x67, 0x7f, 0xd7, 0x1b, 0x4c, 0x3d, 0x4e, 0x68, 0x09, 0x3b, 0x66, 0x02, 0x20, 0x5f, 0x28, 0x42, 0xcb, 0x7e,
+    0xd3, 0x19, 0x9c, 0x9a, 0xd7, 0xc9, 0x62, 0x79, 0x47, 0xa1, 0x8a, 0x92, 0x16, 0x8a, 0xfc, 0xd6, 0x5f, 0x3e, 0x9c, 0xaf, 0x6e,
+    0xed, 0xfa, 0x9e, 0x60, 0xc5, 0x2f,
+};
+
+extern const size_t sTestCert_Root03_DER_Len = sizeof(sTestCert_Root03_DER);
+
+extern const uint8_t sTestCert_Root03_PublicKey[] = {
+    0x04, 0x71, 0x05, 0x40, 0x8a, 0x85, 0xa9, 0xd9, 0xa0, 0x8a, 0xf8, 0xb7, 0x70, 0x77, 0xdb, 0x38, 0x8b,
+    0x7e, 0xa4, 0x38, 0x97, 0xdc, 0xdf, 0xd3, 0x16, 0xf2, 0x4f, 0x0a, 0x7e, 0x71, 0xde, 0x69, 0xa5, 0x0c,
+    0x44, 0x55, 0x0c, 0x0c, 0x9d, 0xa2, 0x36, 0x1c, 0xd8, 0x29, 0xe5, 0x5f, 0xdd, 0x63, 0xcc, 0xf5, 0x79,
+    0xed, 0x44, 0xe0, 0x22, 0x08, 0xb4, 0xf8, 0x25, 0xfc, 0xd6, 0xf0, 0x68, 0x2c, 0x02,
+};
+
+extern const size_t sTestCert_Root03_PublicKey_Len = sizeof(sTestCert_Root03_PublicKey);
+
+extern const uint8_t sTestCert_Root03_PrivateKey[] = {
+    0x70, 0xe7, 0x6d, 0x00, 0x29, 0x28, 0x81, 0xe4, 0xb5, 0xa5, 0xbc, 0xb4, 0xec, 0xd0, 0x2f, 0xf5,
+    0xe4, 0x75, 0xbc, 0x14, 0x89, 0xde, 0x6e, 0xc3, 0xe8, 0xd6, 0x3c, 0x5a, 0x3f, 0x2e, 0x5a, 0x87,
+};
+
+extern const size_t sTestCert_Root03_PrivateKey_Len = sizeof(sTestCert_Root03_PrivateKey);
+
+extern const uint8_t sTestCert_Root03_SubjectKeyId[] = {
+    0xFF, 0x87, 0xF3, 0xCD, 0xD2, 0x06, 0x9A, 0xEF, 0x8D, 0x5D, 0x32, 0xEB, 0xA3, 0x16, 0x3B, 0x9E, 0xB0, 0x0A, 0x00, 0x29,
+};
+
+extern const size_t sTestCert_Root03_SubjectKeyId_Len = sizeof(sTestCert_Root03_SubjectKeyId);
+
+extern const uint8_t sTestCert_Root03_AuthorityKeyId[] = {
+    0xFF, 0x87, 0xF3, 0xCD, 0xD2, 0x06, 0x9A, 0xEF, 0x8D, 0x5D, 0x32, 0xEB, 0xA3, 0x16, 0x3B, 0x9E, 0xB0, 0x0A, 0x00, 0x29,
+};
+
+extern const size_t sTestCert_Root03_AuthorityKeyId_Len = sizeof(sTestCert_Root03_AuthorityKeyId);
+
 /**************  Test ICA01 Certificate  **************
 Certificate:
     Data:
diff --git a/src/credentials/tests/CHIPCert_test_vectors.h b/src/credentials/tests/CHIPCert_test_vectors.h
@@ -54,6 +54,7 @@ enum TestCert
     kNode02_06 = 14,
     kNode02_07 = 15,
     kNode02_08 = 16,
+    kRoot03    = 17,
 };
 
 // Special flags to alter how certificates are fetched/loaded.
@@ -106,6 +107,19 @@ extern const size_t sTestCert_Root02_SubjectKeyId_Len;
 extern const uint8_t sTestCert_Root02_AuthorityKeyId[];
 extern const size_t sTestCert_Root02_AuthorityKeyId_Len;
 
+extern const uint8_t sTestCert_Root03_Chip[];
+extern const size_t sTestCert_Root03_Chip_Len;
+extern const uint8_t sTestCert_Root03_DER[];
+extern const size_t sTestCert_Root03_DER_Len;
+extern const uint8_t sTestCert_Root03_PublicKey[];
+extern const size_t sTestCert_Root03_PublicKey_Len;
+extern const uint8_t sTestCert_Root03_PrivateKey[];
+extern const size_t sTestCert_Root03_PrivateKey_Len;
+extern const uint8_t sTestCert_Root03_SubjectKeyId[];
+extern const size_t sTestCert_Root03_SubjectKeyId_Len;
+extern const uint8_t sTestCert_Root03_AuthorityKeyId[];
+extern const size_t sTestCert_Root03_AuthorityKeyId_Len;
+
 extern const uint8_t sTestCert_ICA01_Chip[];
 extern const size_t sTestCert_ICA01_Chip_Len;
 extern const uint8_t sTestCert_ICA01_DER[];
diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp
@@ -1345,6 +1345,23 @@ static void TestChipCert_GenerateRootCert(nlTestSuite * inSuite, void * inContex
     NL_TEST_ASSERT(inSuite, ConvertX509CertToChipCert(signed_cert_span2, outCert) == CHIP_NO_ERROR);
     NL_TEST_ASSERT(inSuite, DecodeChipCert(outCert, certData) == CHIP_NO_ERROR);
 
+    // Test with no defined notAfter time.
+    {
+        X509CertRequestParams root_params3 = { .SerialNumber  = 1234,
+                                               .ValidityStart = 631161876,
+                                               .ValidityEnd   = kNullCertTime,
+                                               .SubjectDN     = root_dn,
+                                               .IssuerDN      = root_dn };
+        MutableByteSpan signed_cert_span_no_expiry(signed_cert);
+
+        NL_TEST_ASSERT(inSuite, NewRootX509Cert(root_params3, keypair, signed_cert_span_no_expiry) == CHIP_NO_ERROR);
+        outCert = MutableByteSpan(outCertBuf);
+
+        NL_TEST_ASSERT(inSuite, ConvertX509CertToChipCert(signed_cert_span_no_expiry, outCert) == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, DecodeChipCert(outCert, certData) == CHIP_NO_ERROR);
+        NL_TEST_ASSERT(inSuite, certData.mNotAfterTime == kNullCertTime);
+    }
+
     // Test error case: root cert subject provided ICA OID Attribute.
     root_params.SubjectDN.Clear();
     NL_TEST_ASSERT(inSuite, root_params.SubjectDN.AddAttribute_MatterICACId(0xabcdabcd) == CHIP_NO_ERROR);
