Google Git
Sign in
pigweed / third_party / github / project-chip / connectedhomeip / refs/heads/master / . / src / credentials / CertificateValidityPolicy.h
blob: 58552af728a047336f1db4b7833f4076307fe245 [file] [log] [blame]
/*
*
* Copyright (c) 2021 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <credentials/CHIPCert.h>
#include <lib/core/CHIPError.h>
namespace chip {
namespace Credentials {
enum class CertificateValidityResult
{
kValid = 0, // current time is known and is within the validity period bounded by [notBefore, notAfter]
kNotYetValid = 1, // current time is known and falls before the validity period bounded by notBefore
kExpired = 2, // current time is known and falls after the validity period bounded by notAfter
kNotExpiredAtLastKnownGoodTime = 3, // Last Known Good Time is known and notAfter occurs at or after this
kExpiredAtLastKnownGoodTime = 4, // Last Known Good Time is known and notAfter occurs before this
kTimeUnknown = 5, // No time source is available
};
/// Callback to request application acceptance or rejection of the path
/// segment based upon the CertificateValidityResult.
class CertificateValidityPolicy
{
public:
virtual ~CertificateValidityPolicy() {}
/**
* If a policy is provided to CHIPCert, this method is invoked to
* determine what action an application determines is appropriate given
* CHIPCert's evaluation of certificate validity based upon the best
* available time source. If no policy is provided, CHIPCert enforces a
* default policy.
*
* @param cert CHIP Certificate from a peer certificate chain to be evaluated based upon application-enacted expiration policies
* @param depth the depth of the certificate in the chain, where the leaf is at depth 0
* @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
*/
virtual CHIP_ERROR ApplyCertificateValidityPolicy(const ChipCertificateData * cert, uint8_t depth,
CertificateValidityResult result) = 0;
/**
* Default policy that will be used if no other policy is defined. This is
* exposed to allow other policies to explicitly delegate to it as needed.
*/
static CHIP_ERROR ApplyDefaultPolicy(const ChipCertificateData * cert, uint8_t depth, CertificateValidityResult result);
};
class IgnoreCertificateValidityPeriodPolicy : public CertificateValidityPolicy
{
public:
IgnoreCertificateValidityPeriodPolicy() {}
/**
* This certificate validity policy does not validate NotBefore or
* NotAfter to accommodate platforms that may have wall clock time, but
* where it is unreliable.
*
* Last Known Good Time is also not considered in this policy.
*
* @param cert CHIP Certificate for which we are evaluating validity
* @param depth the depth of the certificate in the chain, where the leaf is at depth 0
* @return CHIP_NO_ERROR if CHIPCert should accept the certificate; an appropriate CHIP_ERROR if it should be rejected
*/
CHIP_ERROR ApplyCertificateValidityPolicy(const Credentials::ChipCertificateData * cert, uint8_t depth,
Credentials::CertificateValidityResult result) override
{
switch (result)
{
case Credentials::CertificateValidityResult::kValid:
case Credentials::CertificateValidityResult::kNotYetValid:
case Credentials::CertificateValidityResult::kExpired:
case Credentials::CertificateValidityResult::kNotExpiredAtLastKnownGoodTime:
case Credentials::CertificateValidityResult::kExpiredAtLastKnownGoodTime:
case Credentials::CertificateValidityResult::kTimeUnknown:
return CHIP_NO_ERROR;
default:
return CHIP_ERROR_INVALID_ARGUMENT;
}
}
};
} // namespace Credentials
} // namespace chip