Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021 Project CHIP Authors
4 : *
5 : * Licensed under the Apache License, Version 2.0 (the "License");
6 : * you may not use this file except in compliance with the License.
7 : * You may obtain a copy of the License at
8 : *
9 : * http://www.apache.org/licenses/LICENSE-2.0
10 : *
11 : * Unless required by applicable law or agreed to in writing, software
12 : * distributed under the License is distributed on an "AS IS" BASIS,
13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 : * See the License for the specific language governing permissions and
15 : * limitations under the License.
16 : */
17 : #pragma once
18 :
19 : #include <credentials/CHIPCert.h>
20 : #include <lib/core/CHIPError.h>
21 :
22 : namespace chip {
23 : namespace Credentials {
24 :
25 : enum class CertificateValidityResult
26 : {
27 : kValid = 0, // current time is known and is within the validity period bounded by [notBefore, notAfter]
28 : kNotYetValid = 1, // current time is known and falls before the validity period bounded by notBefore
29 : kExpired = 2, // current time is known and falls after the validity period bounded by notAfter
30 : kNotExpiredAtLastKnownGoodTime = 3, // Last Known Good Time is known and notAfter occurs at or after this
31 : kExpiredAtLastKnownGoodTime = 4, // Last Known Good Time is known and notAfter occurs before this
32 : kTimeUnknown = 5, // No time source is available
33 : };
34 :
35 : /// Callback to request application acceptance or rejection of the path
36 : /// segment based upon the CertificateValidityResult.
37 : class CertificateValidityPolicy
38 : {
39 : public:
40 721 : virtual ~CertificateValidityPolicy() {}
41 :
42 : /**
43 : * If a policy is provided to CHIPCert, this method is invoked to
44 : * determine what action an application determines is appropriate given
45 : * CHIPCert's evaluation of certificate validity based upon the best
46 : * available time source. If no policy is provided, CHIPCert enforces a
47 : * default policy.
48 : *
49 : * @param cert CHIP Certificate from a peer certificate chain to be evaluated based upon application-enacted expiration policies
50 : * @param depth the depth of the certificate in the chain, where the leaf is at depth 0
51 : * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
52 : */
53 : virtual CHIP_ERROR ApplyCertificateValidityPolicy(const ChipCertificateData * cert, uint8_t depth,
54 : CertificateValidityResult result) = 0;
55 :
56 : /**
57 : * Default policy that will be used if no other policy is defined. This is
58 : * exposed to allow other policies to explicitly delegate to it as needed.
59 : */
60 : static CHIP_ERROR ApplyDefaultPolicy(const ChipCertificateData * cert, uint8_t depth, CertificateValidityResult result);
61 : };
62 :
63 : class IgnoreCertificateValidityPeriodPolicy : public CertificateValidityPolicy
64 : {
65 : public:
66 1 : IgnoreCertificateValidityPeriodPolicy() {}
67 :
68 : /**
69 : * This certificate validity policy does not validate NotBefore or
70 : * NotAfter to accommodate platforms that may have wall clock time, but
71 : * where it is unreliable.
72 : *
73 : * Last Known Good Time is also not considered in this policy.
74 : *
75 : * @param cert CHIP Certificate for which we are evaluating validity
76 : * @param depth the depth of the certificate in the chain, where the leaf is at depth 0
77 : * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
78 : */
79 0 : CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth,
80 : Credentials::CertificateValidityResult result) override
81 : {
82 0 : switch (result)
83 : {
84 0 : case Credentials::CertificateValidityResult::kValid:
85 : case Credentials::CertificateValidityResult::kNotYetValid:
86 : case Credentials::CertificateValidityResult::kExpired:
87 : case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime:
88 : case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
89 : case Credentials::CertificateValidityResult::kTimeUnknown:
90 0 : return CHIP_NO_ERROR;
91 0 : default:
92 0 : return CHIP_ERROR_INVALID_ARGUMENT;
93 : }
94 : }
95 : };
96 :
97 : } // namespace Credentials
98 : } // namespace chip
|
