Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore root cert expiration in Server. #26372

Merged
merged 1 commit into from
May 5, 2023
Merged

Ignore root cert expiration in Server. #26372

merged 1 commit into from
May 5, 2023

Conversation

bzbarsky-apple
Copy link
Contributor

Since there is no real way to rotate the root cert for a fabric, even just to update its validity period, enforcing the validity period for it just means making the fabric not work and runs the risk of making devices completely unreachable.

Switch to not validating expiration time for a root certificate, while keeping existing behavior for the NotBefore and all other certificate types.

@bzbarsky-apple
Ignore root cert expiration in Server.
e8d1b32 
Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.
@github-actions github-actions bot added the app label May 4, 2023
@github-actions
Copy link

github-actions bot commented May 4, 2023

PR #26372: Size comparison from de1c64a to e8d1b32

Increases (1 build for cc32xx)
platform target config section de1c64a e8d1b32 change % change
cc32xx lock CC3235SF_LAUNCHXL (read only) 604866 605066 200 0.0
(read/write) 204156 204164 8 0.0
.bss 197568 197576 8 0.0
.debug_abbrev 957005 957528 523 0.1
.debug_aranges 101104 101136 32 0.0
.debug_frame 341416 341512 96 0.0
.debug_info 19522697 19529296 6599 0.0
.debug_line 2666219 2666592 373 0.0
.debug_loclists 1488771 1489162 391 0.0
.debug_rnglists 94291 94315 24 0.0
.debug_str 3100491 3101368 877 0.0
.rodata 104346 104362 16 0.0
.strtab 482872 483384 512 0.1
.symtab 287120 287328 208 0.1
.text 498396 498580 184 0.0
Full report (1 build for cc32xx)
platform target config section de1c64a e8d1b32 change % change
cc32xx lock CC3235SF_LAUNCHXL 0 0 0 0.0
(read only) 604866 605066 200 0.0
(read/write) 204156 204164 8 0.0
.ARM.attributes 44 44 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 197568 197576 8 0.0
.comment 206 206 0 0.0
.data 1468 1468 0 0.0
.debug_abbrev 957005 957528 523 0.1
.debug_aranges 101104 101136 32 0.0
.debug_frame 341416 341512 96 0.0
.debug_info 19522697 19529296 6599 0.0
.debug_line 2666219 2666592 373 0.0
.debug_line_str 513 513 0 0.0
.debug_loc 33340 33340 0 0.0
.debug_loclists 1488771 1489162 391 0.0
.debug_ranges 4984 4984 0 0.0
.debug_rnglists 94291 94315 24 0.0
.debug_str 3100491 3101368 877 0.0
.ramVecs 780 780 0 0.0
.resetVecs 64 64 0 0.0
.rodata 104346 104362 16 0.0
.shstrtab 265 265 0 0.0
.stack 2048 2048 0 0.0
.strtab 482872 483384 512 0.1
.symtab 287120 287328 208 0.1
.text 498396 498580 184 0.0

@bzbarsky-apple bzbarsky-apple merged commit ed8d546 into project-chip:master May 5, 2023
@bzbarsky-apple bzbarsky-apple deleted the ignore-root-cert-expiration branch May 5, 2023 16:19
bzbarsky-apple added a commit to bzbarsky-apple/connectedhomeip that referenced this pull request May 6, 2023
@bzbarsky-apple
Ignore root cert expiration in Server. (project-chip#26372)
63a05d2 
Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.
@bzbarsky-apple bzbarsky-apple mentioned this pull request May 6, 2023
Merged
andy31415 pushed a commit that referenced this pull request May 8, 2023
@bzbarsky-apple
Ignore root cert expiration in Server. (#26372) (#26406)
4ff8bc7 
Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.
Damian-Nordic pushed a commit to Damian-Nordic/connectedhomeip that referenced this pull request Jun 1, 2023
@bzbarsky-apple @ArekBalysNordic
[nrf fromtree] Ignore root cert expiration in Server. (project-chip#2…
da87603 
…6372) (project-chip#26406)

Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.

cherry-picked from: 4ff8bc7
@robinmo robinmo mentioned this pull request Jan 10, 2024
Closed
maciejbaczmanski pushed a commit to maciejbaczmanski/connectedhomeip that referenced this pull request Jul 15, 2024
@bzbarsky-apple @Damian-Nordic
[nrf fromtree] Ignore root cert expiration in Server. (project-chip#2…
ba9cc4f 
…6372) (project-chip#26406)

Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.

cherry-picked from: 4ff8bc7
maciejbaczmanski pushed a commit to maciejbaczmanski/connectedhomeip that referenced this pull request Jul 15, 2024
@kkasperczyk-no
Revert "[nrf fromtree] Ignore root cert expiration in Server. (projec…
85dce48 
…t-chip#26372) (project-chip#26406)"

This reverts commit ba9cc4f.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andy31415 andy31415 andy31415 approved these changes

@jtung-apple jtung-apple jtung-apple approved these changes

@amitnj amitnj Awaiting requested review from amitnj

@anush-apple anush-apple Awaiting requested review from anush-apple

@arkq arkq Awaiting requested review from arkq

@carol-apple carol-apple Awaiting requested review from carol-apple

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@chshu chshu Awaiting requested review from chshu

@chulspro chulspro Awaiting requested review from chulspro

@cliffamzn cliffamzn Awaiting requested review from cliffamzn

@CodeChronos928 CodeChronos928 Awaiting requested review from CodeChronos928

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@dhrishi dhrishi Awaiting requested review from dhrishi

@electrocucaracha electrocucaracha Awaiting requested review from electrocucaracha

@emargolis emargolis Awaiting requested review from emargolis

@franck-apple franck-apple Awaiting requested review from franck-apple

@gjc13 gjc13 Awaiting requested review from gjc13

@harimau-qirex harimau-qirex Awaiting requested review from harimau-qirex

@harsha-rajendran harsha-rajendran Awaiting requested review from harsha-rajendran

@hawk248 hawk248 Awaiting requested review from hawk248

@jelderton jelderton Awaiting requested review from jelderton

@jepenven-silabs jepenven-silabs Awaiting requested review from jepenven-silabs

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@jmeg-sfy jmeg-sfy Awaiting requested review from jmeg-sfy

@joonhaengHeo joonhaengHeo Awaiting requested review from joonhaengHeo

@kcoppock kcoppock Awaiting requested review from kcoppock

@kkasperczyk-no kkasperczyk-no Awaiting requested review from kkasperczyk-no

@ksperling-apple ksperling-apple Awaiting requested review from ksperling-apple

@lazarkov lazarkov Awaiting requested review from lazarkov

@lpbeliveau-silabs lpbeliveau-silabs Awaiting requested review from lpbeliveau-silabs

@LuDuda LuDuda Awaiting requested review from LuDuda

@mlepage-google mlepage-google Awaiting requested review from mlepage-google

@mrjerryjohns mrjerryjohns Awaiting requested review from mrjerryjohns

@msandstedt msandstedt Awaiting requested review from msandstedt

@nivi-apple nivi-apple Awaiting requested review from nivi-apple

@saurabhst saurabhst Awaiting requested review from saurabhst

@selissia selissia Awaiting requested review from selissia

@sharadb-amazon sharadb-amazon Awaiting requested review from sharadb-amazon

@tcarmelveilleux tcarmelveilleux Awaiting requested review from tcarmelveilleux

@tecimovic tecimovic Awaiting requested review from tecimovic

@tehampson tehampson Awaiting requested review from tehampson

@vijs vijs Awaiting requested review from vijs

@vivien-apple vivien-apple Awaiting requested review from vivien-apple

@woody-apple woody-apple Awaiting requested review from woody-apple

@xylophone21 xylophone21 Awaiting requested review from xylophone21

@younghak-hwang younghak-hwang Awaiting requested review from younghak-hwang

@yufengwangca yufengwangca Awaiting requested review from yufengwangca

Assignees
No one assigned
Labels
app cherry picked to 1.1 review - approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bzbarsky-apple @andy31415 @jtung-apple