Skip to content

Commit

Permalink
Change Matter.framework to not put expiration time on certs by defaul…
Browse files Browse the repository at this point in the history
…t. (#26520)
  • Loading branch information
bzbarsky-apple authored and pull[bot] committed Nov 27, 2023
1 parent bf8f993 commit fffbe4f
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 22 deletions.
15 changes: 6 additions & 9 deletions src/darwin/Framework/CHIP/MTRCertificates.h
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,13 @@ NS_ASSUME_NONNULL_BEGIN
MTR_NEWLY_AVAILABLE;

/**
* As above, but defaults to a 10-year validity period starting now.
* As above, but defaults to no expiration time.
*/
+ (MTRCertificateDERBytes _Nullable)createRootCertificate:(id<MTRKeypair>)keypair
issuerID:(NSNumber * _Nullable)issuerID
fabricID:(NSNumber * _Nullable)fabricID
error:(NSError * __autoreleasing _Nullable * _Nullable)error
API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4))
MTR_NEWLY_DEPRECATED("Please use the version that specifies an explicit validity period");
API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));

/**
* Create an intermediate X.509 DER encoded certificate that has the
Expand Down Expand Up @@ -100,16 +99,15 @@ NS_ASSUME_NONNULL_BEGIN
MTR_NEWLY_AVAILABLE;

/**
* As above, but defaults to a 10-year validity period starting now.
* As above, but defaults to no expiration time.
*/
+ (MTRCertificateDERBytes _Nullable)createIntermediateCertificate:(id<MTRKeypair>)rootKeypair
rootCertificate:(MTRCertificateDERBytes)rootCertificate
intermediatePublicKey:(SecKeyRef)intermediatePublicKey
issuerID:(NSNumber * _Nullable)issuerID
fabricID:(NSNumber * _Nullable)fabricID
error:(NSError * __autoreleasing _Nullable * _Nullable)error
API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4))
MTR_NEWLY_DEPRECATED("Please use the version that specifies an explicit validity period");
API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));

/**
* Create an X.509 DER encoded certificate that has the
Expand Down Expand Up @@ -147,7 +145,7 @@ NS_ASSUME_NONNULL_BEGIN
MTR_NEWLY_AVAILABLE;

/**
* As above, but defaults to a 10-year validity period starting now.
* As above, but defaults to no expiration time.
*/
+ (MTRCertificateDERBytes _Nullable)createOperationalCertificate:(id<MTRKeypair>)signingKeypair
signingCertificate:(MTRCertificateDERBytes)signingCertificate
Expand All @@ -156,8 +154,7 @@ NS_ASSUME_NONNULL_BEGIN
nodeID:(NSNumber *)nodeID
caseAuthenticatedTags:(NSSet<NSNumber *> * _Nullable)caseAuthenticatedTags
error:(NSError * __autoreleasing _Nullable * _Nullable)error
API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4))
MTR_NEWLY_DEPRECATED("Please use the version that specifies an explicit validity period");
API_AVAILABLE(ios(16.4), macos(13.3), watchos(9.4), tvos(16.4));

/**
* Check whether the given keypair's public key matches the given certificate's
Expand Down
12 changes: 3 additions & 9 deletions src/darwin/Framework/CHIP/MTRCertificates.mm
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,7 @@ + (MTRCertificateDERBytes _Nullable)createRootCertificate:(id<MTRKeypair>)keypai
fabricID:(NSNumber * _Nullable)fabricID
error:(NSError * __autoreleasing *)error
{
auto * validityPeriod =
[[NSDateInterval alloc] initWithStartDate:[NSDate now]
duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs];
auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] endDate:[NSDate distantFuture]];
return [self createRootCertificate:keypair issuerID:issuerID fabricID:fabricID validityPeriod:validityPeriod error:error];
}

Expand Down Expand Up @@ -98,9 +96,7 @@ + (MTRCertificateDERBytes _Nullable)createIntermediateCertificate:(id<MTRKeypair
fabricID:(NSNumber * _Nullable)fabricID
error:(NSError * __autoreleasing *)error
{
auto * validityPeriod =
[[NSDateInterval alloc] initWithStartDate:[NSDate now]
duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs];
auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] endDate:[NSDate distantFuture]];
return [self createIntermediateCertificate:rootKeypair
rootCertificate:rootCertificate
intermediatePublicKey:intermediatePublicKey
Expand Down Expand Up @@ -142,9 +138,7 @@ + (MTRCertificateDERBytes _Nullable)createOperationalCertificate:(id<MTRKeypair>
caseAuthenticatedTags:(NSSet<NSNumber *> * _Nullable)caseAuthenticatedTags
error:(NSError * __autoreleasing _Nullable * _Nullable)error
{
auto * validityPeriod =
[[NSDateInterval alloc] initWithStartDate:[NSDate now]
duration:MTROperationalCredentialsDelegate::kCertificateDefaultValiditySecs];
auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] endDate:[NSDate distantFuture]];
return [self createOperationalCertificate:signingKeypair
signingCertificate:signingCertificate
operationalPublicKey:operationalPublicKey
Expand Down
3 changes: 0 additions & 3 deletions src/darwin/Framework/CHIP/MTROperationalCredentialsDelegate.h
Original file line number Diff line number Diff line change
Expand Up @@ -111,9 +111,6 @@ class MTROperationalCredentialsDelegate : public chip::Controller::OperationalCr
SecKeyRef operationalPublicKey, NSNumber * fabricId, NSNumber * nodeId, NSSet<NSNumber *> * _Nullable caseAuthenticatedTags,
NSDateInterval * validityPeriod, NSData * _Nullable __autoreleasing * _Nonnull operationalCert);

// 10 years.
static const uint32_t kCertificateDefaultValiditySecs = 10 * 365 * 24 * 60 * 60;

private:
// notAfter times can represent "forever".
static bool ToChipNotAfterEpochTime(NSDate * date, uint32_t & epoch);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
return CHIP_ERROR_INCORRECT_STATE;
}

auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] duration:kCertificateDefaultValiditySecs];
auto * validityPeriod = [[NSDateInterval alloc] initWithStartDate:[NSDate now] endDate:[NSDate distantFuture]];
return GenerateNOC(*mIssuerKey, (mIntermediateCert != nil) ? mIntermediateCert : mRootCert, nodeId, fabricId, cats, pubkey,
validityPeriod, noc);
}
Expand Down

0 comments on commit fffbe4f

Please sign in to comment.