LCOV - code coverage report
Current view: top level - credentials - CertificateValidityPolicy.h (source / functions) Hit Total Coverage
Test: lcov_final.info Lines: 2 8 25.0 %
Date: 2024-02-15 08:20:41 Functions: 2 4 50.0 % 

          Line data    Source code
       1             : /*
       2             :  *
       3             :  *    Copyright (c) 2021 Project CHIP Authors
       4             :  *
       5             :  *    Licensed under the Apache License, Version 2.0 (the "License");
       6             :  *    you may not use this file except in compliance with the License.
       7             :  *    You may obtain a copy of the License at
       8             :  *
       9             :  *        http://www.apache.org/licenses/LICENSE-2.0
      10             :  *
      11             :  *    Unless required by applicable law or agreed to in writing, software
      12             :  *    distributed under the License is distributed on an "AS IS" BASIS,
      13             :  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      14             :  *    See the License for the specific language governing permissions and
      15             :  *    limitations under the License.
      16             :  */
      17             : #pragma once
      18             : 
      19             : #include <credentials/CHIPCert.h>
      20             : #include <lib/core/CHIPError.h>
      21             : 
      22             : namespace chip {
      23             : namespace Credentials {
      24             : 
      25             : enum class CertificateValidityResult
      26             : {
      27             :     kValid                         = 0, // current time is known and is within the validity period bounded by [notBefore, notAfter]
      28             :     kNotYetValid                   = 1, // current time is known and falls before the validity period bounded by notBefore
      29             :     kExpired                       = 2, // current time is known and falls after the validity period bounded by notAfter
      30             :     kNotExpiredAtLastKnownGoodTime = 3, // Last Known Good Time is known and notAfter occurs at or after this
      31             :     kExpiredAtLastKnownGoodTime    = 4, // Last Known Good Time is known and notAfter occurs before this
      32             :     kTimeUnknown                   = 5, // No time source is available
      33             : };
      34             : 
      35             : /// Callback to request application acceptance or rejection of the path
      36             : /// segment based upon the CertificateValidityResult.
      37             : class CertificateValidityPolicy
      38             : {
      39             : public:
      40         646 :     virtual ~CertificateValidityPolicy() {}
      41             : 
      42             :     /**
      43             :      *  If a policy is provided to CHIPCert, this method is invoked to
      44             :      *  determine what action an application determines is appropriate given
      45             :      *  CHIPCert's evaluation of certificate validity based upon the best
      46             :      *  available time source.  If no policy is provided, CHIPCert enforces a
      47             :      *  default policy.
      48             :      *
      49             :      * @param cert CHIP Certificate from a peer certificate chain to be evaluated based upon application-enacted expiration policies
      50             :      * @param depth the depth of the certificate in the chain, where the leaf is at depth 0
      51             :      * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
      52             :      */
      53             :     virtual CHIP_ERROR ApplyCertificateValidityPolicy(const ChipCertificateData * cert, uint8_t depth,
      54             :                                                       CertificateValidityResult result) = 0;
      55             : 
      56             :     /**
      57             :      * Default policy that will be used if no other policy is defined.  This is
      58             :      * exposed to allow other policies to explicitly delegate to it as needed.
      59             :      */
      60             :     static CHIP_ERROR ApplyDefaultPolicy(const ChipCertificateData * cert, uint8_t depth, CertificateValidityResult result);
      61             : };
      62             : 
      63             : class IgnoreCertificateValidityPeriodPolicy : public CertificateValidityPolicy
      64             : {
      65             : public:
      66           1 :     IgnoreCertificateValidityPeriodPolicy() {}
      67             : 
      68             :     /**
      69             :      * This certificate validity policy does not validate NotBefore or
      70             :      * NotAfter to accommodate platforms that may have wall clock time, but
      71             :      * where it is unreliable.
      72             :      *
      73             :      * Last Known Good Time is also not considered in this policy.
      74             :      *
      75             :      * @param cert CHIP Certificate for which we are evaluating validity
      76             :      * @param depth the depth of the certificate in the chain, where the leaf is at depth 0
      77             :      * @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
      78             :      */
      79           0 :     CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth,
      80             :                                               Credentials::CertificateValidityResult result) override
      81             :     {
      82           0 :         switch (result)
      83             :         {
      84           0 :         case Credentials::CertificateValidityResult::kValid:
      85             :         case Credentials::CertificateValidityResult::kNotYetValid:
      86             :         case Credentials::CertificateValidityResult::kExpired:
      87             :         case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime:
      88             :         case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
      89             :         case Credentials::CertificateValidityResult::kTimeUnknown:
      90           0 :             return CHIP_NO_ERROR;
      91           0 :         default:
      92           0 :             return CHIP_ERROR_INVALID_ARGUMENT;
      93             :         }
      94             :     }
      95             : };
      96             : 
      97             : } // namespace Credentials
      98             : } // namespace chip

Generated by: LCOV version 1.14