blob: 0df351dff8390c7d297a85c0b09d9c9f3c35e8b6 [file] [log] [blame]
/*
*
* Copyright (c) 2021 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <credentials/CHIPCert.h>
#include <lib/core/CHIPError.h>
namespace chip {
namespace Credentials {
enum class CertificateValidityResult
{
kValid = 0, // current time is known and is within the validity period bounded by [notBefore, notAfter]
kNotYetValid = 1, // current time is known and falls before the validity period bounded by notBefore
kExpired = 2, // current time is known and falls after the validity period bounded by notAfter
kNotExpiredAtLastKnownGoodTime = 3, // Last Known Good Time is known and notAfter occurs at or after this
kExpiredAtLastKnownGoodTime = 4, // Last Known Good Time is known and notAfter occurs before this
kTimeUnknown = 5, // No time source is available
};
/// Callback to request application acceptance or rejection of the path
/// segment based upon the CertificateValidityResult.
class CertificateValidityPolicy
{
public:
virtual ~CertificateValidityPolicy() {}
/**
* If a policy is provided to CHIPCert, this method is invoked to
* determine what action an application determines is appropriate given
* CHIPCert's evaluation of certificate validity based upon the best
* available time source. If no policy is provided, CHIPCert enforces a
* default policy.
*
* @param cert CHIP Certificate from a peer certificate chain to be evaluated based upon application-enacted expiration policies
* @param depth the depth of the certificate in the chain, where the leaf is at depth 0
* @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
*/
virtual CHIP_ERROR ApplyCertificateValidityPolicy(const ChipCertificateData * cert, uint8_t depth,
CertificateValidityResult result) = 0;
};
} // namespace Credentials
} // namespace chip